Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash
On Mon, 3 Apr 2023 20:47:01 -0600
David Ahern <dsahern@kernel.org> wrote:
> On 4/3/23 9:24 AM, Stephen Hemminger wrote:
> > ted
> >>
> >> This happens because iproute2 just assumes the tunnel is ipv4, but the
> >> kernel "knows" it's actually ip6gre so when calling the SIOCGETTUNNEL
> >> ioctl it writes back a struct ip6_tnl_parm2 into the struct
> >> ip_tunnel_parm which is smaller, so the stack gets overwritten. Is
> >> there any way to tell from userspace whether a gre is v4 or v6 before
> >> doing an ioctl? The ioctls don't take/return a size parameter as far
> >> as I can see...
> >
> > Ip uses and IPv4 UDP socket when it thinks it is talking to GRE.
> > And a IPv6 UDP socket when it is talking to GRE6.
> >
> > So the kernel could check and error out?
> >
>
> Does seem like a kernel bug and a well known design flaw in ioctl
> interface (assuming buffer of a specific size). The best iproute2 can do
> is have `old_p` be a larger size (e.g., ip6_tnl_parm2) to avoid the
> overrun, but then the result is nonsense with no way for it no an ipv6
> struct was passed back. The crash at least indicates something is off.
Actually any change tunnel can have similar issues where the tunnel
is of one type and the request wants to change parameters.
The two structs (ip_param and ip6_tunnel_param) are different enough
that getting the incorrect type will be complete garbage.
There doesn't seem to be a good way to identify the tunnel type.
The only way I can see is to look at the link type (ifi_type)
but this is ARPHRD_XXX value and not the ip protocol.
The other way would be to query link info (with netlink)
and make sure that IFLA_INFO_KIND (in IFLA_LINKINFO) matches when
changing.
Or maybe get rid of the ip tunnel command and just use ip link
which is all netlink based. The iptunnel stuff was introduced long ago
when the only way to make tunnels was with ioctl. Now you can do
same operations with ip link.
to
Reply to: