From: Tadeusz Struk
Sent: 10 March 2022 22:13
Syzbot found a kernel bug in the ipv6 stack: LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e2541558... The reproducer triggers it by sending a crafted message via sendmmsg() call, which triggers skb_over_panic, and crashes the kernel:
skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575 head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0 dev:<NULL>
Add a check that prevents an invalid packet with MTU equall to the fregment header size to eat up all the space for payload.
There probably ought to be a check much earlier that stops the option that makes the iphdr being to big being accepted in the first place.
Much better to do the check in the option generation code.
David
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)