[Bug 1832828] Re: ipv6: fix EFAULT on sendto with icmpv6 and hdrincl

Mon, 01 Jul 2019 02:11:19 -0700 

apport information

** Tags added: apport-collected bionic

** Description changed:

  == SRU Justification ==
  
  The following code returns EFAULT (Bad address):
  
    s = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
    setsockopt(s, SOL_IPV6, IPV6_HDRINCL, 1);
    sendto(ipv6_icmp6_packet, addr);   /* returns -1, errno = EFAULT */
  
  The IPv4 equivalent code works.
  
  The failure happens because 2 bytes are eaten from the msghdr by
  rawv6_probe_proto_opt() starting from commit 19e3c66b52ca ("ipv6
  equivalent of "ipv4: Avoid reading user iov twice after
  raw_probe_proto_opt""), but at that time it was not a problem because
  IPV6_HDRINCL was not yet introduced.
  
  Only eat these 2 bytes if hdrincl == 0.
  
  == Fix ==
  
  Upstream commits:
  59e3e4b52663 ("ipv6: use READ_ONCE() for inet->hdrincl as in ipv4")
  b9aa52c4cb45 ("ipv6: fix EFAULT on sendto with icmpv6 and hdrincl")
  
  == Regression Potential ==
  
  Low. Only impacts IPv6 raw sockets with IPV6_HDRINCL.
  
  == Test Case ==
  
  Copy/paste this code in a python3 interpreter:
  
  IPPROTO_ICMPV6 = socket.getprotobyname('ipv6-icmp')
  SOL_IPV6 = 41
  IPV6_HDRINCL = 36
  import socket
  send_s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, IPPROTO_ICMPV6)
  send_s.setsockopt(SOL_IPV6, IPV6_HDRINCL, 1)
  # this is an IPv6 + ICMPv6 echo packet
  req = 
b'`\x00\x00\x00\x00":@?\xfe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01?\xfe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x80\x00\xe0\xda9\xa0V\x8dabcdefghijklmnopqrstuvwxyz'
  send_s.sendto(req, ('3ffe::2', 0, 0, 0))
  
  On error, it raises:
    OSError: [Errno 14] Bad address
  
  After the fix, no exception is raised.
+ --- 
+ ProblemType: Bug
+ AlsaDevices:
+  total 0
+  crw-rw---- 1 root audio 116,  1 Jun 28 08:58 seq
+  crw-rw---- 1 root audio 116, 33 Jun 28 08:58 timer
+ AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay'
+ ApportVersion: 2.20.9-0ubuntu7.6
+ Architecture: amd64
+ ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 
'arecord'
+ AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', 
'/dev/snd/timer'] failed with exit code 1:
+ DistroRelease: Ubuntu 18.04
+ IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig'
+ Lsusb: Error: [Errno 2] No such file or directory: 'lsusb': 'lsusb'
+ MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
+ Package: linux (not installed)
+ PciMultimedia:
+  
+ ProcEnviron:
+  TERM=screen
+  PATH=(custom, no user)
+  XDG_RUNTIME_DIR=<set>
+  LANG=en_US.UTF-8
+  SHELL=/bin/bash
+ ProcFB:
+  
+ ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-50-generic 
root=/dev/mapper/6WIND-hostname ro console=ttyS0,115200n8 quiet splash 
vt.handoff=1
+ ProcVersionSignature: Ubuntu 4.15.0-50.54-generic 4.15.18
+ RelatedPackageVersions:
+  linux-restricted-modules-4.15.0-50-generic N/A
+  linux-backports-modules-4.15.0-50-generic  N/A
+  linux-firmware                             1.173.6
+ RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill'
+ Tags:  bionic
+ Uname: Linux 4.15.0-50-generic x86_64
+ UnreportableReason: This report is about a package that is not installed.
+ UpgradeStatus: No upgrade log present (probably fresh install)
+ UserGroups:
+  
+ _MarkForUpload: False
+ dmi.bios.date: 04/01/2014
+ dmi.bios.vendor: SeaBIOS
+ dmi.bios.version: rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org
+ dmi.chassis.type: 1
+ dmi.chassis.vendor: QEMU
+ dmi.chassis.version: pc-i440fx-2.12
+ dmi.modalias: 
dmi:bvnSeaBIOS:bvrrel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-2.12:cvnQEMU:ct1:cvrpc-i440fx-2.12:
+ dmi.product.name: Standard PC (i440FX + PIIX, 1996)
+ dmi.product.version: pc-i440fx-2.12
+ dmi.sys.vendor: QEMU

** Attachment added: "CRDA.txt"
   https://bugs.launchpad.net/bugs/1832828/+attachment/5274437/+files/CRDA.txt

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1832828

Title:
  ipv6: fix EFAULT on sendto with icmpv6 and hdrincl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1832828/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to