Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/ipv6
History
Eric Dumazet d45cf1e7d7 ipv6: reject malicious packets in ipv6_gso_segment() 
syzbot was able to craft a packet with very long IPv6 extension headers
leading to an overflow of skb->transport_header.

This 16bit field has a limited range.

Add skb_reset_transport_header_careful() helper and use it
from ipv6_gso_segment()

WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Modules linked in:
CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
 RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Call Trace:
 <TASK>
  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
  nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110
  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
  __skb_gso_segment+0x342/0x510 net/core/gso.c:124
  skb_gso_segment include/net/gso.h:83 [inline]
  validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950
  validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000
  sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329
  __dev_xmit_skb net/core/dev.c:4102 [inline]
  __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679

Fixes: d1da932ed4 ("ipv6: Separate ipv6 offload support")
Reported-by: syzbot+af43e647fd835acc02df@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/688a1a05.050a0220.5d226.0008.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20250730131738.3385939-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2025-08-01 14:40:53 -07:00
..
ila ipv6: adopt dst_dev() helper 2025-07-02 14:32:30 -07:00
netfilter netfilter: Exclude LEGACY TABLES on PREEMPT_RT. 2025-07-25 18:38:50 +02:00
Kconfig
Makefile
addrconf.c Networking changes for 6.17. 2025-07-30 08:58:55 -07:00
addrconf_core.c
addrlabel.c net: replace ADDRLABEL with dynamic debug 2025-07-08 15:04:05 +02:00
af_inet6.c net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
ah6.c
anycast.c dev: Pass netdevice_tracker to dev_get_by_flags_rcu(). 2025-07-14 17:11:14 -07:00
calipso.c net: ipv6: Fix spelling mistake 2025-07-02 15:42:29 -07:00
datagram.c net: dst: annotate data-races around dst->obsolete 2025-07-02 14:32:29 -07:00
esp6.c espintcp: remove encap socket caching to avoid reference leak 2025-04-14 11:59:17 +02:00
esp6_offload.c
exthdrs.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c
fou6.c
icmp.c ipv6: adopt dst_dev() helper 2025-07-02 14:32:30 -07:00
inet6_connection_sock.c net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
inet6_hashtables.c inet: call inet6_ehashfn() once from inet6_hash_connect() 2025-03-06 15:26:02 -08:00
ioam6.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
ioam6_iptunnel.c ipv6: adopt dst_dev() helper 2025-07-02 14:32:30 -07:00
ip6_checksum.c
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-26 11:49:45 -07:00
ip6_flowlabel.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
ip6_gre.c ip6_gre: Factor out common ip6gre tunnel match into helper 2025-07-22 12:15:26 +02:00
ip6_icmp.c
ip6_input.c net: preserve MSG_ZEROCOPY with forwarding 2025-07-02 15:07:16 -07:00
ip6_offload.c ipv6: reject malicious packets in ipv6_gso_segment() 2025-08-01 14:40:53 -07:00
ip6_offload.h
ip6_output.c ipv6: add `force_forwarding` sysctl to enable per-interface forwarding 2025-07-25 13:06:19 -07:00
ip6_tunnel.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
ip6_udp_tunnel.c ipv6: adopt dst_dev() helper 2025-07-02 14:32:30 -07:00
ip6_vti.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
ip6mr.c ipv6: ip6_mc_input() and ip6_mr_input() cleanups 2025-07-02 14:32:30 -07:00
ipcomp6.c xfrm: delete x->tunnel as we delete x 2025-07-08 13:28:27 +02:00
ipv6_sockglue.c ipv6: Remove setsockopt_needs_rtnl(). 2025-07-08 18:32:39 -07:00
mcast.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-17 11:00:33 -07:00
mcast_snoop.c
mip6.c
ndisc.c neighbour: Remove __pneigh_lookup(). 2025-07-17 16:25:21 -07:00
netfilter.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
output_core.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
ping.c net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
proc.c
protocol.c
raw.c net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
reassembly.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
route.c bpf-next-6.17 2025-07-30 09:58:50 -07:00
rpl.c
rpl_iptunnel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-07-17 11:00:33 -07:00
seg6.c
seg6_hmac.c ipv6: sr: Use nested-BH locking for hmac_storage 2025-05-15 15:23:31 +02:00
seg6_iptunnel.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
seg6_local.c ipv6: adopt dst_dev() helper 2025-07-02 14:32:30 -07:00
sit.c net: ipv4: Add a flags argument to iptunnel_xmit(), udp_tunnel_xmit_skb() 2025-06-17 18:18:44 -07:00
syncookies.c net: annotate races around sk->sk_uid 2025-06-23 17:04:03 -07:00
sysctl_net_ipv6.c
tcp_ao.c
tcp_ipv6.c net: track pfmemalloc drops via SKB_DROP_REASON_PFMEMALLOC 2025-07-18 16:59:05 -07:00
tcpv6_offload.c net: use sock_gen_put() when sk_state is TCP_TIME_WAIT 2025-05-01 07:00:19 -07:00
tunnel6.c
udp.c net: track pfmemalloc drops via SKB_DROP_REASON_PFMEMALLOC 2025-07-18 16:59:05 -07:00
udp_impl.h udp: move udp_memory_allocated into net_aligned_data 2025-07-02 14:22:02 -07:00
udp_offload.c udp_tunnel: create a fastpath GRO lookup. 2025-04-08 18:19:41 -07:00
udplite.c udp: move udp_memory_allocated into net_aligned_data 2025-07-02 14:22:02 -07:00
xfrm6_input.c xfrm: Set transport header to fix UDP GRO handling 2025-07-02 09:19:56 +02:00
xfrm6_output.c ipv6: adopt skb_dst_dev() and skb_dst_dev_net[_rcu]() helpers 2025-07-02 14:32:30 -07:00
xfrm6_policy.c
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c Revert "xfrm: destroy xfrm_state synchronously on net exit path" 2025-07-08 13:28:29 +02:00