mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2026-03-03 18:28:01 +01:00
6db8b56eed
On the receive path, __ioam6_fill_trace_data() uses trace->nodelen
to decide how much data to write for each node. It trusts this field
as-is from the incoming packet, with no consistency check against
trace->type (the 24-bit field that tells which data items are
present). A crafted packet can set nodelen=0 while setting type bits
0-21, causing the function to write ~100 bytes past the allocated
region (into skb_shared_info), which corrupts adjacent heap memory
and leads to a kernel panic.
Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to
derive the expected nodelen from the type field, and use it:
- in ioam6_iptunnel.c (send path, existing validation) to replace
the open-coded computation;
- in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose
nodelen is inconsistent with the type field, before any data is
written.
Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they
are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to
0xff1ffc00).
Fixes: 9ee11f0fff ("ipv6: ioam: Data plane support for Pre-allocated Trace")
Cc: stable@vger.kernel.org
Signed-off-by: Junxi Qian <qjx1298677004@gmail.com>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Link: https://patch.msgid.link/20260211040412.86195-1-qjx1298677004@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
75 lines
1.4 KiB
C
75 lines
1.4 KiB
C
/* SPDX-License-Identifier: GPL-2.0+ */
|
|
/*
|
|
* IPv6 IOAM implementation
|
|
*
|
|
* Author:
|
|
* Justin Iurman <justin.iurman@uliege.be>
|
|
*/
|
|
|
|
#ifndef _NET_IOAM6_H
|
|
#define _NET_IOAM6_H
|
|
|
|
#include <linux/net.h>
|
|
#include <linux/ipv6.h>
|
|
#include <linux/ioam6.h>
|
|
#include <linux/ioam6_genl.h>
|
|
#include <linux/rhashtable-types.h>
|
|
|
|
struct ioam6_namespace {
|
|
struct rhash_head head;
|
|
struct rcu_head rcu;
|
|
|
|
struct ioam6_schema __rcu *schema;
|
|
|
|
__be16 id;
|
|
__be32 data;
|
|
__be64 data_wide;
|
|
};
|
|
|
|
struct ioam6_schema {
|
|
struct rhash_head head;
|
|
struct rcu_head rcu;
|
|
|
|
struct ioam6_namespace __rcu *ns;
|
|
|
|
u32 id;
|
|
int len;
|
|
__be32 hdr;
|
|
|
|
u8 data[];
|
|
};
|
|
|
|
struct ioam6_pernet_data {
|
|
struct mutex lock;
|
|
struct rhashtable namespaces;
|
|
struct rhashtable schemas;
|
|
};
|
|
|
|
static inline struct ioam6_pernet_data *ioam6_pernet(struct net *net)
|
|
{
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
return net->ipv6.ioam6_data;
|
|
#else
|
|
return NULL;
|
|
#endif
|
|
}
|
|
|
|
struct ioam6_namespace *ioam6_namespace(struct net *net, __be16 id);
|
|
void ioam6_fill_trace_data(struct sk_buff *skb,
|
|
struct ioam6_namespace *ns,
|
|
struct ioam6_trace_hdr *trace,
|
|
bool is_input);
|
|
|
|
u8 ioam6_trace_compute_nodelen(u32 trace_type);
|
|
|
|
int ioam6_init(void);
|
|
void ioam6_exit(void);
|
|
|
|
int ioam6_iptunnel_init(void);
|
|
void ioam6_iptunnel_exit(void);
|
|
|
|
void ioam6_event(enum ioam6_event_type type, struct net *net, gfp_t gfp,
|
|
void *opt, unsigned int opt_len);
|
|
|
|
#endif /* _NET_IOAM6_H */
|