hamza.kesraoui/sst-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a1.2
sst-linux/net/ipv4
History
Lin Ma 21748669c5 net: fix geneve_opt length integer overflow 
[ Upstream commit b27055a08ad4b415dcf15b63034f9cb236f7fb40 ]

struct geneve_opt uses 5 bit length for each single option, which
means every vary size option should be smaller than 128 bytes.

However, all current related Netlink policies cannot promise this
length condition and the attacker can exploit a exact 128-byte size
option to *fake* a zero length option and confuse the parsing logic,
further achieve heap out-of-bounds read.

One example crash log is like below:

[    3.905425] ==================================================================
[    3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0
[    3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177
[    3.906646]
[    3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1
[    3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[    3.907784] Call Trace:
[    3.907925]  <TASK>
[    3.908048]  dump_stack_lvl+0x44/0x5c
[    3.908258]  print_report+0x184/0x4be
[    3.909151]  kasan_report+0xc5/0x100
[    3.909539]  kasan_check_range+0xf3/0x1a0
[    3.909794]  memcpy+0x1f/0x60
[    3.909968]  nla_put+0xa9/0xe0
[    3.910147]  tunnel_key_dump+0x945/0xba0
[    3.911536]  tcf_action_dump_1+0x1c1/0x340
[    3.912436]  tcf_action_dump+0x101/0x180
[    3.912689]  tcf_exts_dump+0x164/0x1e0
[    3.912905]  fw_dump+0x18b/0x2d0
[    3.913483]  tcf_fill_node+0x2ee/0x460
[    3.914778]  tfilter_notify+0xf4/0x180
[    3.915208]  tc_new_tfilter+0xd51/0x10d0
[    3.918615]  rtnetlink_rcv_msg+0x4a2/0x560
[    3.919118]  netlink_rcv_skb+0xcd/0x200
[    3.919787]  netlink_unicast+0x395/0x530
[    3.921032]  netlink_sendmsg+0x3d0/0x6d0
[    3.921987]  __sock_sendmsg+0x99/0xa0
[    3.922220]  __sys_sendto+0x1b7/0x240
[    3.922682]  __x64_sys_sendto+0x72/0x90
[    3.922906]  do_syscall_64+0x5e/0x90
[    3.923814]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[    3.924122] RIP: 0033:0x7e83eab84407
[    3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[    3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[    3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407
[    3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003
[    3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c
[    3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0
[    3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8

Fix these issues by enforing correct length condition in related
policies.

Fixes: 925d844696 ("netfilter: nft_tunnel: add support for geneve opts")
Fixes: 4ece477870 ("lwtunnel: add options setting and dumping for geneve")
Fixes: 0ed5269f9e ("net/sched: add tunnel option support to act_tunnel_key")
Fixes: 0a6e77784f ("net/sched: allow flower to match tunnel options")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://patch.msgid.link/20250402165632.6958-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-04-10 14:33:41 +02:00
..
bpfilter
netfilter netfilter: fib: check correct rtable in vrf setups 2024-10-17 15:22:22 +02:00
af_inet.c net: inet: do not leave a dangling sk pointer in inet_create() 2024-12-14 19:54:41 +01:00
ah4.c xfrm: ah: add extack to ah_init_state, ah6_init_state 2022-09-29 07:17:59 +02:00
arp.c arp: switch to dev_getbyhwaddr() in arp_req_set_public() 2025-03-07 16:56:36 +01:00
bpf_tcp_ca.c bpf: Use 0 instead of NOT_INIT for btf_struct_access() writes 2022-09-10 17:27:32 -07:00
cipso_ipv4.c net: use unrcu_pointer() helper 2024-12-14 19:53:33 +01:00
datagram.c ipv4: fix data-races around inet->inet_id 2023-08-30 16:11:02 +02:00
devinet.c ipv4: use RCU protection in inet_select_addr() 2025-02-21 13:50:07 +01:00
esp4_offload.c xfrm: Linearize the skb after offloading if needed. 2023-06-28 11:12:29 +02:00
esp4.c net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP 2024-08-03 08:49:03 +02:00
fib_frontend.c ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family 2024-10-17 15:21:38 +02:00
fib_lookup.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-02-17 11:44:20 -08:00
fib_notifier.c net: ipv4: remove superfluous header files from fib_notifier.c 2021-09-28 17:32:56 -07:00
fib_rules.c ipv4: remove unnecessary type castings 2022-04-30 15:12:58 +01:00
fib_semantics.c ipv4: fix source address selection with route leak 2024-08-03 08:49:31 +02:00
fib_trie.c ipv4: Fix incorrect TOS in route get reply 2024-08-03 08:49:24 +02:00
fou.c fou: fix initialization of grc 2024-09-18 19:23:05 +02:00
gre_demux.c net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
gre_offload.c net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
icmp.c ipv4: Convert ip_route_input() to dscp_t. 2025-03-07 16:56:44 +01:00
igmp.c ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet 2023-12-08 08:51:17 +01:00
inet_connection_sock.c tcp: Fix use-after-free of nreq in reqsk_timer_handler(). 2024-12-14 19:53:52 +01:00
inet_diag.c sock_diag: allow concurrent operation in sock_diag_rcv_msg() 2024-12-14 19:53:33 +01:00
inet_fragment.c inet: inet_defrag: prevent sk release while still in use 2024-04-10 16:28:23 +02:00
inet_hashtables.c net: remove duplicate reuseport_lookup functions 2024-06-12 11:03:12 +02:00
inet_timewait_sock.c tcp/dccp: do not care about families in inet_twsk_purge() 2024-08-29 17:30:44 +02:00
inetpeer.c inetpeer: do not get a refcount in inet_getpeer() 2025-02-21 13:49:01 +01:00
ip_forward.c ip: Fix data-races around sysctl_ip_fwd_update_priority. 2022-07-15 11:49:55 +01:00
ip_fragment.c inetpeer: do not get a refcount in inet_getpeer() 2025-02-21 13:49:01 +01:00
ip_gre.c ipv4: ip_gre: Fix drops of small packets in ipgre_xmit 2024-10-17 15:21:32 +02:00
ip_input.c ipv4: ignore dst hint for multipath routes 2023-09-19 12:28:01 +02:00
ip_options.c ipv4: Convert ip_route_input() to dscp_t. 2025-03-07 16:56:44 +01:00
ip_output.c net-timestamp: make sk_tskey more predictable in error path 2024-12-14 19:54:21 +01:00
ip_sockglue.c ipmr: fix kernel panic when forwarding mcast packets 2024-02-05 20:13:00 +00:00
ip_tunnel_core.c net: fix geneve_opt length integer overflow 2025-04-10 14:33:41 +02:00
ip_tunnel.c ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() 2025-02-01 18:30:10 +01:00
ip_vti.c ip_vti: fix potential slab-use-after-free in decode_session6 2023-08-23 17:52:32 +02:00
ipcomp.c xfrm: ipcomp: add extack to ipcomp{4,6}_init_state 2022-09-29 07:18:00 +02:00
ipconfig.c Driver core / kernfs changes for 6.0-rc1 2022-08-04 11:31:20 -07:00
ipip.c ipip,ip_tunnel,sit: Add FOU support for externally controlled ipip devices 2025-01-09 13:30:00 +01:00
ipmr_base.c ipmr: do not call mr_mfc_uses_dev() for unres entries 2025-02-21 13:49:22 +01:00
ipmr.c ipmr: fix tables suspicious RCU usage 2024-12-14 19:53:52 +01:00
Kconfig tcp: configurable source port perturb table size 2022-11-16 13:02:04 +00:00
Makefile bpf: Clean up sockmap related Kconfigs 2021-02-26 12:28:03 -08:00
metrics.c ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() 2023-02-01 08:34:45 +01:00
netfilter.c netfilter: Use l3mdev flow key when re-routing mangled packets 2022-05-16 13:03:29 +02:00
netlink.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
nexthop.c net: nexthop: Initialize all fields in dumped nexthops 2024-08-03 08:49:50 +02:00
ping.c ping: Fix potentail NULL deref for /proc/net/icmp. 2023-04-13 16:55:24 +02:00
proc.c icmp: Add counters for rate limits 2024-10-17 15:21:27 +02:00
protocol.c net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
raw_diag.c raw: Fix NULL deref in raw_get_next(). 2023-04-13 16:55:23 +02:00
raw.c ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels 2024-03-26 18:21:00 -04:00
route.c ipv4: use RCU protection in __ip_rt_update_pmtu() 2025-02-21 13:50:07 +01:00
syncookies.c tcp: fix cookie_init_timestamp() overflows 2023-11-20 11:51:54 +01:00
sysctl_net_ipv4.c tcp: enforce receive buffer memory limits by allowing the tcp window to shrink 2023-10-19 23:08:54 +02:00
tcp_bbr.c bpf: Switch to new kfunc flags infrastructure 2022-07-21 20:59:42 -07:00
tcp_bic.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_bpf.c bpf: Fix wrong copied_seq calculation 2025-03-07 16:56:37 +01:00
tcp_cdg.c Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
tcp_cong.c tcp: Add tracepoint for tcp_set_ca_state 2022-04-07 20:33:15 -07:00
tcp_cubic.c tcp_cubic: fix incorrect HyStart round start detection 2025-02-21 13:49:06 +01:00
tcp_dctcp.c tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). 2024-06-12 11:03:51 +02:00
tcp_dctcp.h tcp: refactor DCTCP ECN ACK handling 2018-10-10 22:26:00 -07:00
tcp_diag.c tcp: Access &tcp_hashinfo via net. 2022-09-20 10:21:49 -07:00
tcp_fastopen.c tcp: drop secpath at the same time as we currently drop dst 2025-03-07 16:56:36 +01:00
tcp_highspeed.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_htcp.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_hybla.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_illinois.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_input.c tcp: drop secpath at the same time as we currently drop dst 2025-03-07 16:56:36 +01:00
tcp_ipv4.c tcp: drop secpath at the same time as we currently drop dst 2025-03-07 16:56:36 +01:00
tcp_lp.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_metrics.c tcp_metrics: validate source addr length 2024-07-11 12:47:11 +02:00
tcp_minisocks.c tcp: Defer ts_recent changes until req is owned 2025-03-07 16:56:45 +01:00
tcp_nv.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_offload.c net-timestamp: support TCP GSO case for a few missing flags 2025-03-13 12:53:18 +01:00
tcp_output.c tcp: check space before adding MPTCP SYN options 2024-12-19 18:08:48 +01:00
tcp_rate.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-04-28 13:02:01 -07:00
tcp_recovery.c tcp: fix excessive TLP and RACK timeouts from HZ rounding 2023-10-25 12:03:06 +02:00
tcp_scalable.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_timer.c tcp: fix race in tcp_write_err() 2024-08-03 08:49:04 +02:00
tcp_ulp.c net/ulp: use consistent error code when blocking ULP 2023-01-24 07:24:43 +01:00
tcp_vegas.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_vegas.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tcp_veno.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_westwood.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp_yeah.c tcp: add accessors to read/set tp->snd_cwnd 2022-04-06 12:05:41 -07:00
tcp.c tcp: fix forever orphan socket caused by tcp_abort 2025-03-28 21:58:57 +01:00
tunnel4.c net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
udp_bpf.c bpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser() 2023-03-17 08:50:24 +01:00
udp_diag.c net: Use nlmsg_unicast() instead of netlink_unicast() 2021-07-13 09:28:29 -07:00
udp_impl.h net: remove noblock parameter from recvmsg() entities 2022-04-12 15:00:25 +02:00
udp_offload.c net: gso: fix ownership in __udp_gso_segment 2025-03-13 12:53:16 +01:00
udp_tunnel_core.c udp: lockless UDP_ENCAP_L2TPINUDP / UDP_GRO 2024-01-10 17:10:28 +01:00
udp_tunnel_nic.c udp_tunnel: Fix end of loop test in udp_tunnel_nic_unregister() 2022-02-23 12:35:00 +00:00
udp_tunnel_stub.c udp_tunnel: add central NIC RX port offload infrastructure 2020-07-10 13:54:00 -07:00
udp.c udp: Fix memory accounting leak. 2025-04-10 14:33:40 +02:00
udplite.c udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). 2023-05-30 14:03:20 +01:00
xfrm4_input.c xfrm: Preserve vlan tags for transport mode software GRO 2024-05-17 11:56:10 +02:00
xfrm4_output.c xfrm: fix unused variable warning if CONFIG_NETFILTER=n 2020-05-11 15:12:27 +02:00
xfrm4_policy.c xfrm: respect ip protocols rules criteria when performing dst lookups 2024-11-01 01:56:03 +01:00
xfrm4_protocol.c net: xfrm: unexport __init-annotated xfrm4_protocol_init() 2022-06-08 10:10:13 -07:00
xfrm4_state.c xfrm: remove output_finish indirection from xfrm_state_afinfo 2020-05-06 09:40:08 +02:00
xfrm4_tunnel.c xfrm: tunnel: add extack to ipip_init_state, xfrm6_tunnel_init_state 2022-09-29 07:18:00 +02:00