Bug 6186 - net/ipv4/route.c: use after free in rt_fill_info
Summary: net/ipv4/route.c: use after free in rt_fill_info
Status: RESOLVED CODE_FIX
Alias: None
Product: Networking
Classification: Unclassified
Component: IPV4 (show other bugs)
Hardware: i386 Linux
: P2 normal
Assignee: Stephen Hemminger
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-03-07 16:22 UTC by Bryan O'Sullivan
Modified: 2006-07-24 15:34 UTC (History)
0 users

See Also:
Kernel Version: 2.6.16-git
Subsystem:
Regression: ---
Bisected commit-id:

Attachments
Possible patch to test (1.98 KB, patch)
2006-07-24 14:47 UTC, Stephen Hemminger 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Bryan O'Sullivan 2006-03-07 16:22:21 UTC 
When rt_fill_info passes an skb to ipmr_get_route, it doesn't handle the case
where ipmr_get_route frees the skb (it gets freed in ipmr_cache_unresolved).

Instead, it bounces down to nlmsg_failure, where it calls skb_trim on the
deallocated skb.
Comment 1 Bryan O'Sullivan 2006-03-07 16:22:43 UTC 
Spotted by Coverity's checker.
Comment 2 Andrew Morton 2006-03-07 16:38:49 UTC 
bugme-daemon@bugzilla.kernel.org wrote:
>
> http://bugzilla.kernel.org/show_bug.cgi?id=6186
> 
>            Summary: net/ipv4/route.c: use after free in rt_fill_info
>     Kernel Version: 2.6.16-git
>             Status: NEW
>           Severity: normal
>              Owner: shemminger@osdl.org
>          Submitter: bos@serpentine.com
> 
> 
> When rt_fill_info passes an skb to ipmr_get_route, it doesn't handle the case
> where ipmr_get_route frees the skb (it gets freed in ipmr_cache_unresolved).
> 
> Instead, it bounces down to nlmsg_failure, where it calls skb_trim on the
> deallocated skb.
> 

A coverity catch, I assume?
Comment 3 Anonymous Emailer 2006-03-07 16:51:13 UTC 
Reply-To: davem@davemloft.net

From: Andrew Morton <akpm@osdl.org>
Date: Tue, 7 Mar 2006 16:41:02 -0800

> bugme-daemon@bugzilla.kernel.org wrote:
> >
> > http://bugzilla.kernel.org/show_bug.cgi?id=6186
> > 
> >            Summary: net/ipv4/route.c: use after free in rt_fill_info
> >     Kernel Version: 2.6.16-git
> >             Status: NEW
> >           Severity: normal
> >              Owner: shemminger@osdl.org
> >          Submitter: bos@serpentine.com
> > 
> > 
> > When rt_fill_info passes an skb to ipmr_get_route, it doesn't handle the case
> > where ipmr_get_route frees the skb (it gets freed in ipmr_cache_unresolved).
> > 
> > Instead, it bounces down to nlmsg_failure, where it calls skb_trim on the
> > deallocated skb.
> > 
> 
> A coverity catch, I assume?

In any case, this particular code can't work at all and it's been a
known problem for at least 2 years but nobody has felt inspired to
work on it.

This ipmr_get_route() function is getting a netlink SKB to
fill in the info, but if it can't find the cached entry
it uses that SKB as a normal IPv4 packet to try and resolve
a new cache entry totally clobbering the caller's state.
Comment 4 Stephen Hemminger 2006-07-24 14:47:55 UTC 
Created attachment 8609 [details]
Possible patch to test 

Allocate a new skb to avoid the bug
Comment 5 Stephen Hemminger 2006-07-24 15:34:25 UTC 
Patch cleaned up and submitted
Note You need to log in before you can comment on or make changes to this bug.