• Alexey Kodanev's avatar
    vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit · 36f6ee22
    Alexey Kodanev authored
    When running LTP IPsec tests, KASan might report:
    
    BUG: KASAN: use-after-free in vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
    Read of size 4 at addr ffff880dc6ad1980 by task swapper/0/0
    ...
    Call Trace:
      <IRQ>
      dump_stack+0x63/0x89
      print_address_description+0x7c/0x290
      kasan_report+0x28d/0x370
      ? vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
      __asan_report_load4_noabort+0x19/0x20
      vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
      ? vti_init_net+0x190/0x190 [ip_vti]
      ? save_stack_trace+0x1b/0x20
      ? save_stack+0x46/0xd0
      dev_hard_start_xmit+0x147/0x510
      ? icmp_echo.part.24+0x1f0/0x210
      __dev_queue_xmit+0x1394/0x1c60
    ...
    Freed by task 0:
      save_stack_trace+0x1b/0x20
      save_stack+0x46/0xd0
      kasan_slab_free+0x70/0xc0
      kmem_cache_free+0x81/0x1e0
      kfree_skbmem+0xb1/0xe0
      kfree_skb+0x75/0x170
      kfree_skb_list+0x3e/0x60
      __dev_queue_xmit+0x1298/0x1c60
      dev_queue_xmit+0x10/0x20
      neigh_resolve_output+0x3a8/0x740
      ip_finish_output2+0x5c0/0xe70
      ip_finish_output+0x4ba/0x680
      ip_output+0x1c1/0x3a0
      xfrm_output_resume+0xc65/0x13d0
      xfrm_output+0x1e4/0x380
      xfrm4_output_finish+0x5c/0x70
    
    Can be fixed if we get skb->len before dst_output().
    
    Fixes: b9959fd3 ("vti: switch to new ip tunnel code")
    Fixes: 22e1b23d ("vti6: Support inter address family tunneling.")
    Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    36f6ee22
ip6_vti.c 28.5 KB