Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-23 Thread David Miller
From: Dave Jones Date: Thu, 22 Dec 2016 11:16:22 -0500 > By setting certain socket options on ipv6 raw sockets, we can confuse the > length calculation in rawv6_push_pending_frames triggering a BUG_ON. ... > Signed-off-by: Dave Jones Applied

ipv6: handle -EFAULT from skb_copy_bits

2016-12-22 Thread Dave Jones
By setting certain socket options on ipv6 raw sockets, we can confuse the length calculation in rawv6_push_pending_frames triggering a BUG_ON. RIP: 0010:[] [] rawv6_sendmsg+0xc30/0xc40 RSP: 0018:881f6c4a7c18 EFLAGS: 00010282 RAX: fff2 RBX: 881f6c681680 RCX: 0002

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-21 Thread Dave Jones
On Wed, Dec 21, 2016 at 10:33:20PM +0100, Hannes Frederic Sowa wrote: > > Given all of this, I think the best thing to do is validate the offset > > after the queue walks, which is pretty much what Dave Jones's original > > patch was doing. > > I think both approaches protect against the

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-21 Thread Hannes Frederic Sowa
On Wed, 2016-12-21 at 14:04 -0500, David Miller wrote: > From: Hannes Frederic Sowa > Date: Wed, 21 Dec 2016 13:41:13 +0100 > > > On Wed, 2016-12-21 at 13:27 +0100, Hannes Frederic Sowa wrote: > >> @@ -555,8 +566,8 @@ static int rawv6_push_pending_frames(struct sock

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-21 Thread David Miller
From: Hannes Frederic Sowa Date: Wed, 21 Dec 2016 13:41:13 +0100 > On Wed, 2016-12-21 at 13:27 +0100, Hannes Frederic Sowa wrote: >> @@ -555,8 +566,8 @@ static int rawv6_push_pending_frames(struct sock *sk, >> struct flowi6 *fl6, >> goto out; >> >>

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-21 Thread Hannes Frederic Sowa
On Wed, 2016-12-21 at 13:27 +0100, Hannes Frederic Sowa wrote: > @@ -555,8 +566,8 @@ static int rawv6_push_pending_frames(struct sock *sk, > struct flowi6 *fl6, > goto out; > > offset = rp->offset; > - total_len = inet_sk(sk)->cork.base.length; > - if

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-21 Thread Hannes Frederic Sowa
On Tue, 2016-12-20 at 22:09 -0800, Cong Wang wrote: > On Tue, Dec 20, 2016 at 2:12 PM, Dave Jones wrote: > > fd = socket(AF_INET6, SOCK_RAW, 7); > > > > setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, , 4); > > setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, ,

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-20 Thread Cong Wang
On Tue, Dec 20, 2016 at 2:12 PM, Dave Jones wrote: > fd = socket(AF_INET6, SOCK_RAW, 7); > > setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, , 4); > setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, , LEN); > Interesting, you set the checksum offset to be 0, but the

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-20 Thread Dave Jones
On Tue, Dec 20, 2016 at 11:31:38AM -0800, Cong Wang wrote: > On Tue, Dec 20, 2016 at 10:17 AM, Dave Jones wrote: > > On Mon, Dec 19, 2016 at 08:36:23PM -0500, David Miller wrote: > > > From: Dave Jones > > > Date: Mon, 19 Dec 2016 19:40:13

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-20 Thread Dave Jones
On Tue, Dec 20, 2016 at 01:28:13PM -0500, David Miller wrote: > This has to do with the SKB buffer layout and geometry, not whether > the packet is "fragmented" in the protocol sense. > > So no, this isn't a criteria for packets being filtered out by this > point. > > Can you try to

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-20 Thread Cong Wang
On Tue, Dec 20, 2016 at 10:17 AM, Dave Jones wrote: > On Mon, Dec 19, 2016 at 08:36:23PM -0500, David Miller wrote: > > From: Dave Jones > > Date: Mon, 19 Dec 2016 19:40:13 -0500 > > > > > On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave Jones

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-20 Thread David Miller
From: Dave Jones Date: Tue, 20 Dec 2016 13:17:28 -0500 > On Mon, Dec 19, 2016 at 08:36:23PM -0500, David Miller wrote: > > From: Dave Jones > > Date: Mon, 19 Dec 2016 19:40:13 -0500 > > > > > On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-20 Thread Dave Jones
On Mon, Dec 19, 2016 at 08:36:23PM -0500, David Miller wrote: > From: Dave Jones > Date: Mon, 19 Dec 2016 19:40:13 -0500 > > > On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave Jones wrote: > > > > > Unfortunately, this made no difference. I spent some time today

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-19 Thread David Miller
From: Dave Jones Date: Mon, 19 Dec 2016 19:40:13 -0500 > On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave Jones wrote: > > > Unfortunately, this made no difference. I spent some time today trying > > to make a better reproducer, but failed. I'll revisit again tomorrow.

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-19 Thread Dave Jones
On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave Jones wrote: > Unfortunately, this made no difference. I spent some time today trying > to make a better reproducer, but failed. I'll revisit again tomorrow. > > Maybe I need >1 process/thread to trigger this. That would explain why > I can

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-19 Thread Dave Jones
On Mon, Dec 19, 2016 at 02:48:48PM -0500, David Miller wrote: > One thing that's interesting is that if the user picks "IPPROTO_RAW" > as the value of 'protocol' we set inet->hdrincl to 1. > > The user can also set inet->hdrincl to 1 or 0 via setsockopt(). > > I think this is part of the

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-19 Thread David Miller
From: Dave Jones Date: Mon, 19 Dec 2016 12:03:20 -0500 > On Sat, Dec 17, 2016 at 10:41:20AM -0500, David Miller wrote: > > > > It seems to be possible to craft a packet for sendmsg that triggers > > > the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-19 Thread Dave Jones
On Sat, Dec 17, 2016 at 10:41:20AM -0500, David Miller wrote: > > It seems to be possible to craft a packet for sendmsg that triggers > > the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks like: > > > > RIP: 0010:[] [] > > rawv6_sendmsg+0xc30/0xc40 > > RSP:

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-17 Thread Dave Jones
On Sat, Dec 17, 2016 at 10:41:20AM -0500, David Miller wrote: > From: Dave Jones > Date: Wed, 14 Dec 2016 10:47:29 -0500 > > > It seems to be possible to craft a packet for sendmsg that triggers > > the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks

Re: ipv6: handle -EFAULT from skb_copy_bits

2016-12-17 Thread David Miller
From: Dave Jones Date: Wed, 14 Dec 2016 10:47:29 -0500 > It seems to be possible to craft a packet for sendmsg that triggers > the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks like: > > RIP: 0010:[] [] rawv6_sendmsg+0xc30/0xc40 > RSP:

ipv6: handle -EFAULT from skb_copy_bits

2016-12-14 Thread Dave Jones
It seems to be possible to craft a packet for sendmsg that triggers the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks like: RIP: 0010:[] [] rawv6_sendmsg+0xc30/0xc40 RSP: 0018:881f6c4a7c18 EFLAGS: 00010282 RAX: fff2 RBX: 881f6c681680 RCX: 0002