)]}'
{
  "commit": "38769a817486deab62178507564e81404d9fbcd0",
  "tree": "672605f99902ffa2bb6e2b8c934c0f69463b403d",
  "parents": [
    "b15e582c1dbbf0e6f06747082754e5c5a71ea426"
  ],
  "author": {
    "name": "t.feng",
    "email": "fengtao40@huawei.com",
    "time": "Wed May 10 11:50:44 2023 +0800"
  },
  "committer": {
    "name": "Anil Altinay",
    "email": "aaltinay@google.com",
    "time": "Thu Jun 29 18:45:04 2023 +0000"
  },
  "message": "ipvlan:Fix out-of-bounds caused by unclear skb-\u003ecb\n\n[ Upstream commit 90cbed5247439a966b645b34eb0a2e037836ea8e ]\n\nIf skb enqueue the qdisc, fq_skb_cb(skb)-\u003etime_to_send is changed which\nis actually skb-\u003ecb, and IPCB(skb_in)-\u003eopt will be used in\n__ip_options_echo. It is possible that memcpy is out of bounds and lead\nto stack overflow.\nWe should clear skb-\u003ecb before ip_local_out or ip6_local_out.\n\nv2:\n1. clean the stack info\n2. use IPCB/IP6CB instead of skb-\u003ecb\n\ncrash on stable-5.10(reproduce in kasan kernel).\nStack info:\n[ 2203.651571] BUG: KASAN: stack-out-of-bounds in\n__ip_options_echo+0x589/0x800\n[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task\nswapper/3/0\n[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted\n5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1\n[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014\n[ 2203.655475] Call Trace:\n[ 2203.655481]  \u003cIRQ\u003e\n[ 2203.655501]  dump_stack+0x9c/0xd3\n[ 2203.655514]  print_address_description.constprop.0+0x19/0x170\n[ 2203.655530]  __kasan_report.cold+0x6c/0x84\n[ 2203.655586]  kasan_report+0x3a/0x50\n[ 2203.655594]  check_memory_region+0xfd/0x1f0\n[ 2203.655601]  memcpy+0x39/0x60\n[ 2203.655608]  __ip_options_echo+0x589/0x800\n[ 2203.655654]  __icmp_send+0x59a/0x960\n[ 2203.655755]  nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]\n[ 2203.655763]  reject_tg+0x77/0x1bf [ipt_REJECT]\n[ 2203.655772]  ipt_do_table+0x691/0xa40 [ip_tables]\n[ 2203.655821]  nf_hook_slow+0x69/0x100\n[ 2203.655828]  __ip_local_out+0x21e/0x2b0\n[ 2203.655857]  ip_local_out+0x28/0x90\n[ 2203.655868]  ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]\n[ 2203.655931]  ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]\n[ 2203.655967]  ipvlan_queue_xmit+0xb3/0x190 [ipvlan]\n[ 2203.655977]  ipvlan_start_xmit+0x2e/0xb0 [ipvlan]\n[ 2203.655984]  xmit_one.constprop.0+0xe1/0x280\n[ 2203.655992]  dev_hard_start_xmit+0x62/0x100\n[ 2203.656000]  sch_direct_xmit+0x215/0x640\n[ 2203.656028]  __qdisc_run+0x153/0x1f0\n[ 2203.656069]  __dev_queue_xmit+0x77f/0x1030\n[ 2203.656173]  ip_finish_output2+0x59b/0xc20\n[ 2203.656244]  __ip_finish_output.part.0+0x318/0x3d0\n[ 2203.656312]  ip_finish_output+0x168/0x190\n[ 2203.656320]  ip_output+0x12d/0x220\n[ 2203.656357]  __ip_queue_xmit+0x392/0x880\n[ 2203.656380]  __tcp_transmit_skb+0x1088/0x11c0\n[ 2203.656436]  __tcp_retransmit_skb+0x475/0xa30\n[ 2203.656505]  tcp_retransmit_skb+0x2d/0x190\n[ 2203.656512]  tcp_retransmit_timer+0x3af/0x9a0\n[ 2203.656519]  tcp_write_timer_handler+0x3ba/0x510\n[ 2203.656529]  tcp_write_timer+0x55/0x180\n[ 2203.656542]  call_timer_fn+0x3f/0x1d0\n[ 2203.656555]  expire_timers+0x160/0x200\n[ 2203.656562]  run_timer_softirq+0x1f4/0x480\n[ 2203.656606]  __do_softirq+0xfd/0x402\n[ 2203.656613]  asm_call_irq_on_stack+0x12/0x20\n[ 2203.656617]  \u003c/IRQ\u003e\n[ 2203.656623]  do_softirq_own_stack+0x37/0x50\n[ 2203.656631]  irq_exit_rcu+0x134/0x1a0\n[ 2203.656639]  sysvec_apic_timer_interrupt+0x36/0x80\n[ 2203.656646]  asm_sysvec_apic_timer_interrupt+0x12/0x20\n[ 2203.656654] RIP: 0010:default_idle+0x13/0x20\n[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc\ncc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb\nf4 \u003cc3\u003e cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08\n[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256\n[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:\nffffffffaf290191\n[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:\nffff88811a3c4f60\n[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:\nffff88811a3c4f63\n[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:\n0000000000000003\n[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:\n0000000000000000\n[ 2203.656729]  default_idle_call+0x5a/0x150\n[ 2203.656735]  cpuidle_idle_call+0x1c6/0x220\n[ 2203.656780]  do_idle+0xab/0x100\n[ 2203.656786]  cpu_startup_entry+0x19/0x20\n[ 2203.656793]  secondary_startup_64_no_verify+0xc2/0xcb\n\n[ 2203.657409] The buggy address belongs to the page:\n[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0\nmapping:0000000000000000 index:0x0 pfn:0x11a388\n[ 2203.658665] flags:\n0x17ffffc0001000(reserved|node\u003d0|zone\u003d2|lastcpupid\u003d0x1fffff)\n[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208\n0000000000000000\n[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff\n0000000000000000\n[ 2203.658686] page dumped because: kasan: bad access detected\n\nTo reproduce(ipvlan with IPVLAN_MODE_L3):\nEnv setting:\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nmodprobe ipvlan ipvlan_default_mode\u003d1\nsysctl net.ipv4.conf.eth0.forwarding\u003d1\niptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j\nMASQUERADE\nip link add gw link eth0 type ipvlan\nip -4 addr add 20.0.0.254/24 dev gw\nip netns add net1\nip link add ipv1 link eth0 type ipvlan\nip link set ipv1 netns net1\nip netns exec net1 ip link set ipv1 up\nip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1\nip netns exec net1 route add default gw 20.0.0.254\nip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%\nifconfig gw up\niptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with\nicmp-port-unreachable\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nAnd then excute the shell(curl any address of eth0 can reach):\n\nfor((i\u003d1;i\u003c\u003d100000;i++))\ndo\n        ip netns exec net1 curl x.x.x.x:8888\ndone\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nBUG\u003db/289294537\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2023-3090 in the Linux kernel.\n\ncos-patch: security-high\nFixes: 2ad7bf363841 (\"ipvlan: Initial check-in of the IPVLAN driver.\")\nSigned-off-by: \"t.feng\" \u003cfengtao40@huawei.com\u003e\nSuggested-by: Florian Westphal \u003cfw@strlen.de\u003e\nReviewed-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\nChange-Id: I67951366ec1b05a8b2f5f350f9c4d9069ee5e1d2\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/51530\nReviewed-by: Oleksandr Tymoshenko \u003covt@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "d7fb6302d699ba49742f6362635184462e4947d6",
      "old_mode": 33188,
      "old_path": "drivers/net/ipvlan/ipvlan_core.c",
      "new_id": "1f5125698e83a4b08e0f908d802dcf214cf6a1ee",
      "new_mode": 33188,
      "new_path": "drivers/net/ipvlan/ipvlan_core.c"
    }
  ]
}