• Eric Dumazet's avatar
    net-gro: fix use-after-free read in napi_gro_frags() · 60f1d01c
    Eric Dumazet authored
    BugLink: https://bugs.launchpad.net/bugs/1832661
    
    [ Upstream commit a4270d67 ]
    
    If a network driver provides to napi_gro_frags() an
    skb with a page fragment of exactly 14 bytes, the call
    to gro_pull_from_frag0() will 'consume' the fragment
    by calling skb_frag_unref(skb, 0), and the page might
    be freed and reused.
    
    Reading eth->h_proto at the end of napi_frags_skb() might
    read mangled data, or crash under specific debugging features.
    
    BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline]
    BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
    Read of size 2 at addr ffff88809366840c by task syz-executor599/8957
    
    CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x172/0x1f0 lib/dump_stack.c:113
     print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
     __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
     kasan_report+0x12/0x20 mm/kasan/common.c:614
     __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142
     napi_frags_skb net/core/dev.c:5833 [inline]
     napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
     tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991
     tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
     call_write_iter include/linux/fs.h:1872 [inline]
     do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
     do_iter_write fs/read_write.c:970 [inline]
     do_iter_write+0x184/0x610 fs/read_write.c:951
     vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
     do_writev+0x15b/0x330 fs/read_write.c:1058
    
    Fixes: a50e233c ("net-gro: restore frag0 optimization")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
    Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
    60f1d01c
dev.c 197 KB