Bug 6186

Summary: net/ipv4/route.c: use after free in rt_fill_info
Product: Networking Reporter: Bryan O'Sullivan (bos)
Component: IPV4Assignee: Stephen Hemminger (stephen)
Status: RESOLVED CODE_FIX    
Severity: normal    
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.16-git Subsystem:
Regression: --- Bisected commit-id:
Attachments: Possible patch to test

Description Bryan O'Sullivan 2006-03-07 16:22:21 UTC 
When rt_fill_info passes an skb to ipmr_get_route, it doesn't handle the case
where ipmr_get_route frees the skb (it gets freed in ipmr_cache_unresolved).

Instead, it bounces down to nlmsg_failure, where it calls skb_trim on the
deallocated skb.
Comment 1 Bryan O'Sullivan 2006-03-07 16:22:43 UTC 
Spotted by Coverity's checker.
Comment 2 Andrew Morton 2006-03-07 16:38:49 UTC 
bugme-daemon@bugzilla.kernel.org wrote:
>
> http://bugzilla.kernel.org/show_bug.cgi?id=6186
> 
>            Summary: net/ipv4/route.c: use after free in rt_fill_info
>     Kernel Version: 2.6.16-git
>             Status: NEW
>           Severity: normal
>              Owner: shemminger@osdl.org
>          Submitter: bos@serpentine.com
> 
> 
> When rt_fill_info passes an skb to ipmr_get_route, it doesn't handle the case
> where ipmr_get_route frees the skb (it gets freed in ipmr_cache_unresolved).
> 
> Instead, it bounces down to nlmsg_failure, where it calls skb_trim on the
> deallocated skb.
> 

A coverity catch, I assume?
Comment 3 Anonymous Emailer 2006-03-07 16:51:13 UTC 
Reply-To: davem@davemloft.net

From: Andrew Morton <akpm@osdl.org>
Date: Tue, 7 Mar 2006 16:41:02 -0800

> bugme-daemon@bugzilla.kernel.org wrote:
> >
> > http://bugzilla.kernel.org/show_bug.cgi?id=6186
> > 
> >            Summary: net/ipv4/route.c: use after free in rt_fill_info
> >     Kernel Version: 2.6.16-git
> >             Status: NEW
> >           Severity: normal
> >              Owner: shemminger@osdl.org
> >          Submitter: bos@serpentine.com
> > 
> > 
> > When rt_fill_info passes an skb to ipmr_get_route, it doesn't handle the case
> > where ipmr_get_route frees the skb (it gets freed in ipmr_cache_unresolved).
> > 
> > Instead, it bounces down to nlmsg_failure, where it calls skb_trim on the
> > deallocated skb.
> > 
> 
> A coverity catch, I assume?

In any case, this particular code can't work at all and it's been a
known problem for at least 2 years but nobody has felt inspired to
work on it.

This ipmr_get_route() function is getting a netlink SKB to
fill in the info, but if it can't find the cached entry
it uses that SKB as a normal IPv4 packet to try and resolve
a new cache entry totally clobbering the caller's state.
Comment 4 Stephen Hemminger 2006-07-24 14:47:55 UTC 
Created attachment 8609 [details]
Possible patch to test 

Allocate a new skb to avoid the bug
Comment 5 Stephen Hemminger 2006-07-24 15:34:25 UTC 
Patch cleaned up and submitted