WSL2-Linux-Kernel

История

Ahmed Abdelsalam a370d8a3aa ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts [ Upstream commit `a957fa190a` ] In case of seg6 in encap mode, seg6_do_srh_encap() calls set_tun_src() in order to set the src addr of outer IPv6 header. The net_device is required for set_tun_src(). However calling ip6_dst_idev() on dst_entry in case of IPv4 traffic results on the following bug. Using just dst->dev should fix this BUG. [ 196.242461] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 196.242975] PGD 800000010f076067 P4D 800000010f076067 PUD 10f060067 PMD 0 [ 196.243329] Oops: 0000 [#1] SMP PTI [ 196.243468] Modules linked in: nfsd auth_rpcgss nfs_acl nfs lockd grace fscache sunrpc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd input_leds glue_helper led_class pcspkr serio_raw mac_hid video autofs4 hid_generic usbhid hid e1000 i2c_piix4 ahci pata_acpi libahci [ 196.244362] CPU: 2 PID: 1089 Comm: ping Not tainted 4.16.0+ #1 [ 196.244606] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 196.244968] RIP: 0010:seg6_do_srh_encap+0x1ac/0x300 [ 196.245236] RSP: 0018:ffffb2ce00b23a60 EFLAGS: 00010202 [ 196.245464] RAX: 0000000000000000 RBX: ffff8c7f53eea300 RCX: 0000000000000000 [ 196.245742] RDX: 0000f10000000000 RSI: ffff8c7f52085a6c RDI: ffff8c7f41166850 [ 196.246018] RBP: ffffb2ce00b23aa8 R08: 00000000000261e0 R09: ffff8c7f41166800 [ 196.246294] R10: ffffdce5040ac780 R11: ffff8c7f41166828 R12: ffff8c7f41166808 [ 196.246570] R13: ffff8c7f52085a44 R14: ffffffffb73211c0 R15: ffff8c7e69e44200 [ 196.246846] FS: 00007fc448789700(0000) GS:ffff8c7f59d00000(0000) knlGS:0000000000000000 [ 196.247286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 196.247526] CR2: 0000000000000000 CR3: 000000010f05a000 CR4: 00000000000406e0 [ 196.247804] Call Trace: [ 196.247972] seg6_do_srh+0x15b/0x1c0 [ 196.248156] seg6_output+0x3c/0x220 [ 196.248341] ? prandom_u32+0x14/0x20 [ 196.248526] ? ip_idents_reserve+0x6c/0x80 [ 196.248723] ? __ip_select_ident+0x90/0x100 [ 196.248923] ? ip_append_data.part.50+0x6c/0xd0 [ 196.249133] lwtunnel_output+0x44/0x70 [ 196.249328] ip_send_skb+0x15/0x40 [ 196.249515] raw_sendmsg+0x8c3/0xac0 [ 196.249701] ? _copy_from_user+0x2e/0x60 [ 196.249897] ? rw_copy_check_uvector+0x53/0x110 [ 196.250106] ? _copy_from_user+0x2e/0x60 [ 196.250299] ? copy_msghdr_from_user+0xce/0x140 [ 196.250508] sock_sendmsg+0x36/0x40 [ 196.250690] ___sys_sendmsg+0x292/0x2a0 [ 196.250881] ? _cond_resched+0x15/0x30 [ 196.251074] ? copy_termios+0x1e/0x70 [ 196.251261] ? _copy_to_user+0x22/0x30 [ 196.251575] ? tty_mode_ioctl+0x1c3/0x4e0 [ 196.251782] ? _cond_resched+0x15/0x30 [ 196.251972] ? mutex_lock+0xe/0x30 [ 196.252152] ? vvar_fault+0xd2/0x110 [ 196.252337] ? __do_fault+0x1f/0xc0 [ 196.252521] ? __handle_mm_fault+0xc1f/0x12d0 [ 196.252727] ? __sys_sendmsg+0x63/0xa0 [ 196.252919] __sys_sendmsg+0x63/0xa0 [ 196.253107] do_syscall_64+0x72/0x200 [ 196.253305] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 196.253530] RIP: 0033:0x7fc4480b0690 [ 196.253715] RSP: 002b:00007ffde9f252f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 196.254053] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007fc4480b0690 [ 196.254331] RDX: 0000000000000000 RSI: 000000000060a360 RDI: 0000000000000003 [ 196.254608] RBP: 00007ffde9f253f0 R08: 00000000002d1e81 R09: 0000000000000002 [ 196.254884] R10: 00007ffde9f250c0 R11: 0000000000000246 R12: 0000000000b22070 [ 196.255205] R13: 20c49ba5e353f7cf R14: 431bde82d7b634db R15: 00007ffde9f278fe [ 196.255484] Code: a5 0f b6 45 c0 41 88 41 28 41 0f b6 41 2c 48 c1 e0 04 49 8b 54 01 38 49 8b 44 01 30 49 89 51 20 49 89 41 18 48 8b 83 b0 00 00 00 <48> 8b 30 49 8b 86 08 0b 00 00 48 8b 40 20 48 8b 50 08 48 0b 10 [ 196.256190] RIP: seg6_do_srh_encap+0x1ac/0x300 RSP: ffffb2ce00b23a60 [ 196.256445] CR2: 0000000000000000 [ 196.256676] ---[ end trace 71af7d093603885c ]--- Fixes: `8936ef7604` ("ipv6: sr: fix NULL pointer dereference when setting encap source address") Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com> Acked-by: David Lebrun <dlebrun@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2018-04-29 11:33:10 +02:00
..
ila	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
netfilter	netfilter: compat: prepare xt_compat_init_offsets to return errors	2018-04-26 11:02:21 +02:00
Kconfig	…
Makefile	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
addrconf.c	net: ipv6: send unsolicited NA after DAD	2018-02-13 10:19:48 +01:00
addrconf_core.c	…
addrlabel.c	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
af_inet6.c	ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only	2018-02-13 10:19:48 +01:00
ah6.c	…
anycast.c	…
calipso.c	…
datagram.c	ipv6: old_dport should be a __be16 in __ip6_datagram_connect()	2018-03-31 18:10:39 +02:00
esp6.c	…
esp6_offload.c	esp: Fix GRO when the headers not fully in the linear part of the skb.	2018-02-25 11:07:46 +01:00
exthdrs.c	ipv6: sr: fix TLVs not being copied using setsockopt	2018-01-17 09:45:23 +01:00
exthdrs_core.c	…
exthdrs_offload.c	…
fib6_notifier.c	…
fib6_rules.c	…
fou6.c	…
icmp.c	…
inet6_connection_sock.c	…
inet6_hashtables.c	…
ip6_checksum.c	udplite: fix partial checksum initialization	2018-03-08 22:41:10 -08:00
ip6_fib.c	…
ip6_flowlabel.c	…
ip6_gre.c	ip6_gre: better validate user provided tunnel names	2018-04-12 12:32:25 +02:00
ip6_icmp.c	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
ip6_input.c	…
ip6_offload.c	…
ip6_offload.h	…
ip6_output.c	net/ipv6: Increment OUTxxx counters after netfilter hook	2018-04-12 12:32:23 +02:00
ip6_tunnel.c	ip6_tunnel: better validate user provided tunnel names	2018-04-12 12:32:25 +02:00
ip6_udp_tunnel.c	…
ip6_vti.c	vti6: better validate user provided tunnel names	2018-04-12 12:32:25 +02:00
ip6mr.c	ip6mr: fix stale iterator	2018-02-13 10:19:47 +01:00
ipcomp6.c	…
ipv6_sockglue.c	netfilter: drop outermost socket lock in getsockopt()	2018-02-28 10:19:38 +01:00
mcast.c	ipv6: mcast: better catch silly mtu values	2018-01-02 20:31:06 +01:00
mcast_snoop.c	…
mip6.c	…
ndisc.c	ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()	2018-03-31 18:10:41 +02:00
netfilter.c	netfilter: use skb_to_full_sk in ip6_route_me_harder	2018-03-15 10:54:24 +01:00
output_core.c	net: accept UFO datagrams from tuntap and packet	2017-12-17 15:07:58 +01:00
ping.c	…
proc.c	…
protocol.c	…
raw.c	…
reassembly.c	…
route.c	ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy	2018-04-29 11:33:10 +02:00
seg6.c	…
seg6_hmac.c	…
seg6_iptunnel.c	ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts	2018-04-29 11:33:10 +02:00
seg6_local.c	…
sit.c	ipv6: sit: better validate user provided tunnel names	2018-04-12 12:32:25 +02:00
syncookies.c	…
sysctl_net_ipv6.c	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
tcp_ipv6.c	tcp md5sig: Use skb's saddr when replying to an incoming segment	2018-01-02 20:31:07 +01:00
tcpv6_offload.c	gso: validate gso_type in GSO handlers	2018-01-31 14:03:47 +01:00
tunnel6.c	…
udp.c	…
udp_impl.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
udp_offload.c	gso: validate gso_type in GSO handlers	2018-01-31 14:03:47 +01:00
udplite.c	…
xfrm6_input.c	xfrm: Reinject transport-mode packets through tasklet	2018-03-03 10:24:25 +01:00
xfrm6_mode_beet.c	…
xfrm6_mode_ro.c	…
xfrm6_mode_transport.c	…
xfrm6_mode_tunnel.c	…
xfrm6_output.c	…
xfrm6_policy.c	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
xfrm6_protocol.c	…
xfrm6_state.c	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
xfrm6_tunnel.c	…