archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 04:04:43 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net
History
Kuniyuki Iwashima 8244f959e2 ipv6: Fix out-of-bound access in fib6_add_rt2node(). 
syzbot reported out-of-bound read in fib6_add_rt2node(). [0]

When IPv6 route is created with RTA_NH_ID, struct fib6_info
does not have the trailing struct fib6_nh.

The cited commit started to check !iter->fib6_nh->fib_nh_gw_family
to ensure that rt6_qualify_for_ecmp() will return false for iter.

If iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway.

Let's check iter->nh before reading iter->fib6_nh and avoid OOB read.

[0]:
BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142
Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500

CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142
 fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline]
 fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531
 __ip6_ins_rt net/ipv6/route.c:1351 [inline]
 ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957
 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660
 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592
 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9316b9aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9
RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0
 </TASK>

Allocated by task 5499:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5657 [inline]
 __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669
 kmalloc_noprof include/linux/slab.h:961 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820
 ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949
 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660
 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592
 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Fixes: bbf4a17ad9 ("ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF")
Reported-by: syzbot+707d6a5da1ab9e0c6f9d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/698cbfba.050a0220.2eeac1.009d.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Shigeru Yoshida <syoshida@redhat.com>
Link: https://patch.msgid.link/20260211175133.3657034-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-02-13 12:24:28 -08:00
..
6lowpan net: replace ND_PRINTK with dynamic debug 2025-07-10 15:27:32 -07:00
9p - fix a bug with O_APPEND in cached mode causing data to be written multiple times on server 2025-12-07 08:29:09 -08:00
802 net: remove HIPPI support and RoadRunner HIPPI driver 2026-01-20 19:12:06 -08:00
8021q net: vlan: sync VLAN features with lower device 2025-10-31 17:42:35 -07:00
appletalk net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
atm net: atm: fix crash due to unvalidated vcc pointer in sigd_send() 2026-02-10 11:24:47 +01:00
ax25 net: ax25: remove plumbing for never-implemented DAMA Master support 2026-01-30 19:19:39 -08:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-10-31 06:46:03 -07:00
bluetooth Networking changes for 7.0 2026-02-11 19:31:52 -08:00
bpf bpf: add fsession support 2026-01-24 18:49:35 -08:00
bridge net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
caif caif: fix integer underflow in cffrml_receive() 2025-12-11 01:35:41 -08:00
can can: gw: use can_gw_hops instead of sk_buff::csum_start 2026-02-05 11:58:40 +01:00
ceph libceph: make calc_target() set t->paused, not just clear it 2026-01-06 00:39:43 +01:00
core Networking changes for 7.0 2026-02-11 19:31:52 -08:00
dcb Revert "Documentation: net: add flow control guide and document ethtool API" 2025-10-01 09:48:21 +02:00
devlink devlink: Refactor devlink_rate_nodes_check 2026-02-02 20:05:51 -08:00
dns_resolver net/dns_resolver: use credential guards in dns_query() 2025-11-04 12:36:51 +01:00
dsa net: dsa: add tag format for MxL862xx switches 2026-02-11 11:27:57 +01:00
ethernet net: optimize eth_type_trans() vs CONFIG_STACKPROTECTOR_STRONG=y 2025-11-24 19:27:31 -08:00
ethtool Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-02-05 09:54:08 -08:00
handshake net/handshake: Fix null-ptr-deref in handshake_complete() 2025-12-22 12:36:40 +01:00
hsr hsr: Implement more robust duplicate discard for HSR 2026-02-10 12:02:29 +01:00
ieee802154 net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
ife
ipv4 Networking changes for 7.0 2026-02-11 19:31:52 -08:00
ipv6 ipv6: Fix out-of-bound access in fib6_add_rt2node(). 2026-02-13 12:24:28 -08:00
iucv net/iucv: clean up iucv kernel-doc warnings 2026-02-04 20:39:58 -08:00
kcm Networking changes for 6.19. 2025-12-03 17:24:33 -08:00
key pfkey: Deprecate pfkey 2025-10-30 09:03:12 +01:00
l2tp l2tp: avoid one data-race in l2tp_tunnel_del_work() 2026-01-19 09:55:41 -08:00
l3mdev
lapb
llc net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
mac80211 wifi: mac80211: Add eMLSR/eMLMR action frame parsing support 2026-02-02 10:11:18 +01:00
mac802154
mctp net: mctp: ensure our nlmsg responses are initialised 2026-02-12 18:35:45 -08:00
mpls mpls: Drop RTNL for RTM_NEWROUTE, RTM_DELROUTE, and RTM_GETROUTE. 2025-11-03 17:40:54 -08:00
mptcp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-02-11 15:14:35 +01:00
ncsi
netfilter Networking changes for 7.0 2026-02-11 19:31:52 -08:00
netlabel audit: add record for multiple task security contexts 2025-08-30 10:15:30 -04:00
netlink net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
netrom netrom: fix double-free in nr_route_frame() 2026-01-20 19:15:40 -08:00
nfc nfc: hci: shdlc: Stop timers and work before freeing context 2026-02-05 18:46:20 -08:00
nsh
openvswitch net: openvswitch: fix data race in ovs_vport_get_upcall_stats 2026-01-22 12:55:22 +01:00
packet net: add vlan_get_protocol_offset_inline() helper 2026-02-05 16:33:52 +01:00
phonet net: Convert proto callbacks from sockaddr to sockaddr_unsized 2025-11-04 19:10:33 -08:00
psample
psp tools: ynl-gen: add regeneration comment 2025-11-25 19:20:42 -08:00
qrtr net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
rds net/rds: Trigger rds_send_ping() more than once 2026-02-04 20:46:39 -08:00
rfkill net: replace use of system_wq with system_percpu_wq 2025-09-22 17:40:30 -07:00
rose net: rose: fix invalid array index in rose_kill_by_device() 2025-12-30 11:45:51 +01:00
rxrpc rxrpc: Fix data-race warning and potential load/store tearing 2026-01-21 19:59:29 -08:00
sched Networking changes for 7.0 2026-02-11 19:31:52 -08:00
sctp sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT 2026-01-17 15:10:34 -08:00
shaper tools: ynl-gen: add regeneration comment 2025-11-25 19:20:42 -08:00
smc Revert "net/smc: Introduce TCP ULP support" 2026-01-30 19:21:51 -08:00
strparser Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-11-13 12:35:38 -08:00
sunrpc nfsd-6.19 fixes: 2025-12-24 09:23:04 -08:00
switchdev
tipc tipc: fix RCU dereference race in tipc_aead_users_dec() 2026-02-05 12:36:31 -08:00
tls Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-10-31 06:46:03 -07:00
unix af_unix: Fix memleak of newsk in unix_stream_connect(). 2026-02-11 13:01:13 +01:00
vmw_vsock vmw_vsock: bypass false-positive Wnonnull warning with gcc-16 2026-02-04 18:40:31 -08:00
wireless wifi: cfg80211: add initial UHR support 2026-02-02 10:11:07 +01:00
x25 net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
xdp Revert "Merge branch 'netkit-support-for-io_uring-zero-copy-and-af_xdp'" 2026-01-20 18:06:01 -08:00
xfrm bpf-next-7.0 2026-02-10 11:26:21 -08:00
compat.c socket: Unify getsockname and getpeername implementation 2025-11-26 13:45:23 -07:00
devres.c
Kconfig net: Kconfig: discourage drop_monitor enablement 2025-10-17 16:29:26 -07:00
Kconfig.debug
Makefile psp: base PSP device support 2025-09-18 12:32:06 +02:00
socket.c vfs-6.19-rc1.fixes 2025-12-05 15:52:30 -08:00
sysctl_net.c