tunnels: fix out of bounds access when building IPv6 PMTU error (!3708) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Antoine Tenart requested to merge atenart/centos-stream-9:c9s/RHEL-21839/tunnels-pmtu-oob into main Feb 05, 2024

JIRA: https://issues.redhat.com/browse/RHEL-21839
Upstream Status: net.git

commit d75abeec401f8c86b470e7028a13fcdc87e5dd06
Author: Antoine Tenart atenart@kernel.org
Date: Thu Feb 1 09:38:15 2024 +0100

tunnels: fix out of bounds access when building IPv6 PMTU error  

If the ICMPv6 error is built from a non-linear skb we get the following  
splat,  

  BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240  
  Read of size 4 at addr ffff88811d402c80 by task netperf/820  
  CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543  
  ...  
   kasan_report+0xd8/0x110  
   do_csum+0x220/0x240  
   csum_partial+0xc/0x20  
   skb_tunnel_check_pmtu+0xeb9/0x3280  
   vxlan_xmit_one+0x14c2/0x4080  
   vxlan_xmit+0xf61/0x5c00  
   dev_hard_start_xmit+0xfb/0x510  
   __dev_queue_xmit+0x7cd/0x32a0  
   br_dev_queue_push_xmit+0x39d/0x6a0  

Use skb_checksum instead of csum_partial who cannot deal with non-linear  
SKBs.  

Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")  
Signed-off-by: Antoine Tenart <atenart@kernel.org>  
Reviewed-by: Jiri Pirko <jiri@nvidia.com>  
Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Antoine Tenart atenart@redhat.com

tunnels: fix out of bounds access when building IPv6 PMTU error

Merge request reports