Skip to content

Commit 93040aa

Browse files
akodanevgregkh
akodanev
authored and
gregkh
committed
vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
[ Upstream commit 36f6ee22d2d66046e369757ec6bbe1c482957ba6 ] When running LTP IPsec tests, KASan might report: BUG: KASAN: use-after-free in vti_tunnel_xmit+0xeee/0xff0 [ip_vti] Read of size 4 at addr ffff880dc6ad1980 by task swapper/0/0 ... Call Trace: <IRQ> dump_stack+0x63/0x89 print_address_description+0x7c/0x290 kasan_report+0x28d/0x370 ? vti_tunnel_xmit+0xeee/0xff0 [ip_vti] __asan_report_load4_noabort+0x19/0x20 vti_tunnel_xmit+0xeee/0xff0 [ip_vti] ? vti_init_net+0x190/0x190 [ip_vti] ? save_stack_trace+0x1b/0x20 ? save_stack+0x46/0xd0 dev_hard_start_xmit+0x147/0x510 ? icmp_echo.part.24+0x1f0/0x210 __dev_queue_xmit+0x1394/0x1c60 ... Freed by task 0: save_stack_trace+0x1b/0x20 save_stack+0x46/0xd0 kasan_slab_free+0x70/0xc0 kmem_cache_free+0x81/0x1e0 kfree_skbmem+0xb1/0xe0 kfree_skb+0x75/0x170 kfree_skb_list+0x3e/0x60 __dev_queue_xmit+0x1298/0x1c60 dev_queue_xmit+0x10/0x20 neigh_resolve_output+0x3a8/0x740 ip_finish_output2+0x5c0/0xe70 ip_finish_output+0x4ba/0x680 ip_output+0x1c1/0x3a0 xfrm_output_resume+0xc65/0x13d0 xfrm_output+0x1e4/0x380 xfrm4_output_finish+0x5c/0x70 Can be fixed if we get skb->len before dst_output(). Fixes: b9959fd ("vti: switch to new ip tunnel code") Fixes: 22e1b23 ("vti6: Support inter address family tunneling.") Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent d9cb4dc commit 93040aa

2 files changed

Lines changed: 4 additions & 2 deletions

File tree

net/ipv4/ip_vti.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -156,6 +156,7 @@ static netdev_tx_t vti_xmit(struct sk_buff *skb, struct net_device *dev,
156156
struct ip_tunnel_parm *parms = &tunnel->parms;
157157
struct dst_entry *dst = skb_dst(skb);
158158
struct net_device *tdev; /* Device to other host */
159+
int pkt_len = skb->len;
159160
int err;
160161

161162
if (!dst) {
@@ -199,7 +200,7 @@ static netdev_tx_t vti_xmit(struct sk_buff *skb, struct net_device *dev,
199200

200201
err = dst_output(tunnel->net, skb->sk, skb);
201202
if (net_xmit_eval(err) == 0)
202-
err = skb->len;
203+
err = pkt_len;
203204
iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
204205
return NETDEV_TX_OK;
205206

net/ipv6/ip6_vti.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -434,6 +434,7 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
434434
struct dst_entry *dst = skb_dst(skb);
435435
struct net_device *tdev;
436436
struct xfrm_state *x;
437+
int pkt_len = skb->len;
437438
int err = -1;
438439
int mtu;
439440

@@ -487,7 +488,7 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
487488
struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
488489

489490
u64_stats_update_begin(&tstats->syncp);
490-
tstats->tx_bytes += skb->len;
491+
tstats->tx_bytes += pkt_len;
491492
tstats->tx_packets++;
492493
u64_stats_update_end(&tstats->syncp);
493494
} else {

0 commit comments

Comments
 (0)