diff mbox series

[net,v2] ipv4: Fix potential uninit variable access buf in __ip_make_skb()

Message ID 20230410014526.4035442-1-william.xuanziyang@huawei.com (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series [net,v2] ipv4: Fix potential uninit variable access buf in __ip_make_skb() | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 20 this patch: 20
netdev/cc_maintainers fail 1 blamed authors not CCed: dlstevens@us.ibm.com; 1 maintainers not CCed: dlstevens@us.ibm.com
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 20 this patch: 20
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 18 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Ziyang Xuan (William) April 10, 2023, 1:45 a.m. UTC 
Like commit ea30388baebc ("ipv6: Fix an uninit variable access bug in
__ip6_make_skb()"). icmphdr does not in skb linear region under the
scenario of SOCK_RAW socket. Access icmp_hdr(skb)->type directly will
trigger the uninit variable access bug.

Use a local variable icmp_type to carry the correct value in different
scenarios.

Fixes: 96793b482540 ("[IPV4]: Add ICMPMsgStats MIB (RFC 4293)")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
---
v2:
  - Use sk->sk_type not sk->sk_socket->type.
---
 net/ipv4/ip_output.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

Comments

Willem de Bruijn April 10, 2023, 2:30 p.m. UTC | #1 
Ziyang Xuan wrote:
> Like commit ea30388baebc ("ipv6: Fix an uninit variable access bug in
> __ip6_make_skb()"). icmphdr does not in skb linear region under the
> scenario of SOCK_RAW socket. Access icmp_hdr(skb)->type directly will
> trigger the uninit variable access bug.
> 
> Use a local variable icmp_type to carry the correct value in different
> scenarios.
> 
> Fixes: 96793b482540 ("[IPV4]: Add ICMPMsgStats MIB (RFC 4293)")
> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
> ---
> v2:
>   - Use sk->sk_type not sk->sk_socket->type.

This is reached through

  raw_sendmsg
    raw_probe_proto_opt
    ip_push_pending_frames
      ip_finish_skb
        __ip_make_skb

At this point, the icmp header has already been copied into skb linear
area. Is the isue that icmp_hdr/skb_transport_header is not set in
this path? 

> ---
>  net/ipv4/ip_output.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index 4e4e308c3230..21507c9ce0fc 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1570,9 +1570,15 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
>  	cork->dst = NULL;
>  	skb_dst_set(skb, &rt->dst);
>  
> -	if (iph->protocol == IPPROTO_ICMP)
> -		icmp_out_count(net, ((struct icmphdr *)
> -			skb_transport_header(skb))->type);
> +	if (iph->protocol == IPPROTO_ICMP) {
> +		u8 icmp_type;
> +
> +		if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
> +			icmp_type = fl4->fl4_icmp_type;
> +		else
> +			icmp_type = icmp_hdr(skb)->type;
> +		icmp_out_count(net, icmp_type);
> +	}
>  
>  	ip_cork_release(cork);
>  out:
> -- 
> 2.25.1
>
Ziyang Xuan (William) April 11, 2023, 9:39 a.m. UTC | #2 
> Ziyang Xuan wrote:
>> Like commit ea30388baebc ("ipv6: Fix an uninit variable access bug in
>> __ip6_make_skb()"). icmphdr does not in skb linear region under the
>> scenario of SOCK_RAW socket. Access icmp_hdr(skb)->type directly will
>> trigger the uninit variable access bug.
>>
>> Use a local variable icmp_type to carry the correct value in different
>> scenarios.
>>
>> Fixes: 96793b482540 ("[IPV4]: Add ICMPMsgStats MIB (RFC 4293)")
>> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
>> ---
>> v2:
>>   - Use sk->sk_type not sk->sk_socket->type.
> 
> This is reached through
> 
>   raw_sendmsg
>     raw_probe_proto_opt
>     ip_push_pending_frames
>       ip_finish_skb
>         __ip_make_skb
> 
> At this point, the icmp header has already been copied into skb linear
> area. Is the isue that icmp_hdr/skb_transport_header is not set in
> this path? 
> 
Hello Willem,

raw_sendmsg
  ip_append_data(..., transhdrlen==0, ...) // !inet->hdrincl

Parameter "transhdrlen" of ip_append_data() equals to 0 in raw_sendmsg()
not sizeof(struct icmphdr) as in ping_v4_sendmsg().

William Xuan.
>> ---
>>  net/ipv4/ip_output.c | 12 +++++++++---
>>  1 file changed, 9 insertions(+), 3 deletions(-)
>>
>> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
>> index 4e4e308c3230..21507c9ce0fc 100644
>> --- a/net/ipv4/ip_output.c
>> +++ b/net/ipv4/ip_output.c
>> @@ -1570,9 +1570,15 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
>>  	cork->dst = NULL;
>>  	skb_dst_set(skb, &rt->dst);
>>  
>> -	if (iph->protocol == IPPROTO_ICMP)
>> -		icmp_out_count(net, ((struct icmphdr *)
>> -			skb_transport_header(skb))->type);
>> +	if (iph->protocol == IPPROTO_ICMP) {
>> +		u8 icmp_type;
>> +
>> +		if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
>> +			icmp_type = fl4->fl4_icmp_type;
>> +		else
>> +			icmp_type = icmp_hdr(skb)->type;
>> +		icmp_out_count(net, icmp_type);
>> +	}
>>  
>>  	ip_cork_release(cork);
>>  out:
>> -- 
>> 2.25.1
>>
> 
> 
> .
>
Ziyang Xuan (William) April 18, 2023, 12:58 p.m. UTC | #3 
>> Ziyang Xuan wrote:
>>> Like commit ea30388baebc ("ipv6: Fix an uninit variable access bug in
>>> __ip6_make_skb()"). icmphdr does not in skb linear region under the
>>> scenario of SOCK_RAW socket. Access icmp_hdr(skb)->type directly will
>>> trigger the uninit variable access bug.
>>>
>>> Use a local variable icmp_type to carry the correct value in different
>>> scenarios.
>>>
>>> Fixes: 96793b482540 ("[IPV4]: Add ICMPMsgStats MIB (RFC 4293)")
>>> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
>>> ---
>>> v2:
>>>   - Use sk->sk_type not sk->sk_socket->type.
>>
>> This is reached through
>>
>>   raw_sendmsg
>>     raw_probe_proto_opt
>>     ip_push_pending_frames
>>       ip_finish_skb
>>         __ip_make_skb
>>
>> At this point, the icmp header has already been copied into skb linear
>> area. Is the isue that icmp_hdr/skb_transport_header is not set in
>> this path? 
>>
> Hello Willem,
> 
> raw_sendmsg
>   ip_append_data(..., transhdrlen==0, ...) // !inet->hdrincl
> 
> Parameter "transhdrlen" of ip_append_data() equals to 0 in raw_sendmsg()
> not sizeof(struct icmphdr) as in ping_v4_sendmsg().
> 
> William Xuan.
Hello Willem,

Does my answer answer your doubts?

William Xuan
>>> ---
>>>  net/ipv4/ip_output.c | 12 +++++++++---
>>>  1 file changed, 9 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
>>> index 4e4e308c3230..21507c9ce0fc 100644
>>> --- a/net/ipv4/ip_output.c
>>> +++ b/net/ipv4/ip_output.c
>>> @@ -1570,9 +1570,15 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
>>>  	cork->dst = NULL;
>>>  	skb_dst_set(skb, &rt->dst);
>>>  
>>> -	if (iph->protocol == IPPROTO_ICMP)
>>> -		icmp_out_count(net, ((struct icmphdr *)
>>> -			skb_transport_header(skb))->type);
>>> +	if (iph->protocol == IPPROTO_ICMP) {
>>> +		u8 icmp_type;
>>> +
>>> +		if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
>>> +			icmp_type = fl4->fl4_icmp_type;
>>> +		else
>>> +			icmp_type = icmp_hdr(skb)->type;
>>> +		icmp_out_count(net, icmp_type);
>>> +	}
>>>  
>>>  	ip_cork_release(cork);
>>>  out:
>>> -- 
>>> 2.25.1
>>>
>>
>>
>> .
>>
> 
> .
>
Willem de Bruijn April 18, 2023, 2:28 p.m. UTC | #4 
Ziyang Xuan (William) wrote:
> >> Ziyang Xuan wrote:
> >>> Like commit ea30388baebc ("ipv6: Fix an uninit variable access bug in
> >>> __ip6_make_skb()"). icmphdr does not in skb linear region under the
> >>> scenario of SOCK_RAW socket. Access icmp_hdr(skb)->type directly will
> >>> trigger the uninit variable access bug.
> >>>
> >>> Use a local variable icmp_type to carry the correct value in different
> >>> scenarios.
> >>>
> >>> Fixes: 96793b482540 ("[IPV4]: Add ICMPMsgStats MIB (RFC 4293)")
> >>> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
> >>> ---
> >>> v2:
> >>>   - Use sk->sk_type not sk->sk_socket->type.
> >>
> >> This is reached through
> >>
> >>   raw_sendmsg
> >>     raw_probe_proto_opt
> >>     ip_push_pending_frames
> >>       ip_finish_skb
> >>         __ip_make_skb
> >>
> >> At this point, the icmp header has already been copied into skb linear
> >> area. Is the isue that icmp_hdr/skb_transport_header is not set in
> >> this path? 
> >>
> > Hello Willem,
> > 
> > raw_sendmsg
> >   ip_append_data(..., transhdrlen==0, ...) // !inet->hdrincl
> > 
> > Parameter "transhdrlen" of ip_append_data() equals to 0 in raw_sendmsg()
> > not sizeof(struct icmphdr) as in ping_v4_sendmsg().
> > 
> > William Xuan.
> Hello Willem,
> 
> Does my answer answer your doubts?

Thanks. Yes, that explains. Would you mind adding a comment to that
effect. Sommething like

    /* for such sockets, transport hlen is zero and icmp_hdr incorrect */
    if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)

I missed your previous response, William. Sorry about that.
 
> William Xuan
> >>> ---
> >>>  net/ipv4/ip_output.c | 12 +++++++++---
> >>>  1 file changed, 9 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> >>> index 4e4e308c3230..21507c9ce0fc 100644
> >>> --- a/net/ipv4/ip_output.c
> >>> +++ b/net/ipv4/ip_output.c
> >>> @@ -1570,9 +1570,15 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
> >>>  	cork->dst = NULL;
> >>>  	skb_dst_set(skb, &rt->dst);
> >>>  
> >>> -	if (iph->protocol == IPPROTO_ICMP)
> >>> -		icmp_out_count(net, ((struct icmphdr *)
> >>> -			skb_transport_header(skb))->type);
> >>> +	if (iph->protocol == IPPROTO_ICMP) {
> >>> +		u8 icmp_type;
> >>> +
> >>> +		if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
> >>> +			icmp_type = fl4->fl4_icmp_type;
> >>> +		else
> >>> +			icmp_type = icmp_hdr(skb)->type;
> >>> +		icmp_out_count(net, icmp_type);
> >>> +	}
> >>>  
> >>>  	ip_cork_release(cork);
> >>>  out:
> >>> -- 
> >>> 2.25.1
> >>>
> >>
> >>
> >> .
> >>
> > 
> > .
> >
Ziyang Xuan (William) April 19, 2023, 9:41 a.m. UTC | #5 
> Ziyang Xuan (William) wrote:
>>>> Ziyang Xuan wrote:
>>>>> Like commit ea30388baebc ("ipv6: Fix an uninit variable access bug in
>>>>> __ip6_make_skb()"). icmphdr does not in skb linear region under the
>>>>> scenario of SOCK_RAW socket. Access icmp_hdr(skb)->type directly will
>>>>> trigger the uninit variable access bug.
>>>>>
>>>>> Use a local variable icmp_type to carry the correct value in different
>>>>> scenarios.
>>>>>
>>>>> Fixes: 96793b482540 ("[IPV4]: Add ICMPMsgStats MIB (RFC 4293)")
>>>>> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
>>>>> ---
>>>>> v2:
>>>>>   - Use sk->sk_type not sk->sk_socket->type.
>>>>
>>>> This is reached through
>>>>
>>>>   raw_sendmsg
>>>>     raw_probe_proto_opt
>>>>     ip_push_pending_frames
>>>>       ip_finish_skb
>>>>         __ip_make_skb
>>>>
>>>> At this point, the icmp header has already been copied into skb linear
>>>> area. Is the isue that icmp_hdr/skb_transport_header is not set in
>>>> this path? 
>>>>
>>> Hello Willem,
>>>
>>> raw_sendmsg
>>>   ip_append_data(..., transhdrlen==0, ...) // !inet->hdrincl
>>>
>>> Parameter "transhdrlen" of ip_append_data() equals to 0 in raw_sendmsg()
>>> not sizeof(struct icmphdr) as in ping_v4_sendmsg().
>>>
>>> William Xuan.
>> Hello Willem,
>>
>> Does my answer answer your doubts?
> 
> Thanks. Yes, that explains. Would you mind adding a comment to that
> effect. Sommething like
> 
>     /* for such sockets, transport hlen is zero and icmp_hdr incorrect */
>     if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
> 
That is fine. It will make other developers understand the logic here quickly.

> I missed your previous response, William. Sorry about that.
>  
>> William Xuan
>>>>> ---
>>>>>  net/ipv4/ip_output.c | 12 +++++++++---
>>>>>  1 file changed, 9 insertions(+), 3 deletions(-)
>>>>>
>>>>> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
>>>>> index 4e4e308c3230..21507c9ce0fc 100644
>>>>> --- a/net/ipv4/ip_output.c
>>>>> +++ b/net/ipv4/ip_output.c
>>>>> @@ -1570,9 +1570,15 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
>>>>>  	cork->dst = NULL;
>>>>>  	skb_dst_set(skb, &rt->dst);
>>>>>  
>>>>> -	if (iph->protocol == IPPROTO_ICMP)
>>>>> -		icmp_out_count(net, ((struct icmphdr *)
>>>>> -			skb_transport_header(skb))->type);
>>>>> +	if (iph->protocol == IPPROTO_ICMP) {
>>>>> +		u8 icmp_type;
>>>>> +
>>>>> +		if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
>>>>> +			icmp_type = fl4->fl4_icmp_type;
>>>>> +		else
>>>>> +			icmp_type = icmp_hdr(skb)->type;
>>>>> +		icmp_out_count(net, icmp_type);
>>>>> +	}
>>>>>  
>>>>>  	ip_cork_release(cork);
>>>>>  out:
>>>>> -- 
>>>>> 2.25.1
>>>>>
>>>>
>>>>
>>>> .
>>>>
>>>
>>> .
>>>
> 
> 
> .
>
Willem de Bruijn April 19, 2023, 2:02 p.m. UTC | #6 
Ziyang Xuan wrote:
> Like commit ea30388baebc ("ipv6: Fix an uninit variable access bug in
> __ip6_make_skb()"). icmphdr does not in skb linear region under the
> scenario of SOCK_RAW socket. Access icmp_hdr(skb)->type directly will
> trigger the uninit variable access bug.
> 
> Use a local variable icmp_type to carry the correct value in different
> scenarios.
> 
> Fixes: 96793b482540 ("[IPV4]: Add ICMPMsgStats MIB (RFC 4293)")
> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>

Reviewed-by: Willem de Bruijn <willemb@google.com>
diff mbox series

Patch

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 4e4e308c3230..21507c9ce0fc 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1570,9 +1570,15 @@  struct sk_buff *__ip_make_skb(struct sock *sk,
 	cork->dst = NULL;
 	skb_dst_set(skb, &rt->dst);
 
-	if (iph->protocol == IPPROTO_ICMP)
-		icmp_out_count(net, ((struct icmphdr *)
-			skb_transport_header(skb))->type);
+	if (iph->protocol == IPPROTO_ICMP) {
+		u8 icmp_type;
+
+		if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
+			icmp_type = fl4->fl4_icmp_type;
+		else
+			icmp_type = icmp_hdr(skb)->type;
+		icmp_out_count(net, icmp_type);
+	}
 
 	ip_cork_release(cork);
 out: