ipv6: fix EFAULT on sendto with icmpv6 and hdrincl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Confirmed
|
Undecided
|
Kamal Mostafa | ||
Bionic |
Fix Committed
|
Undecided
|
Kamal Mostafa | ||
Disco |
Won't Fix
|
Undecided
|
Kamal Mostafa |
Bug Description
== SRU Justification ==
The following code returns EFAULT (Bad address):
s = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
setsockopt(s, SOL_IPV6, IPV6_HDRINCL, 1);
sendto(
The IPv4 equivalent code works.
The failure happens because 2 bytes are eaten from the msghdr by
rawv6_probe_
equivalent of "ipv4: Avoid reading user iov twice after
raw_probe_
IPV6_HDRINCL was not yet introduced.
Only eat these 2 bytes if hdrincl == 0.
== Fix ==
Upstream commits:
59e3e4b52663 ("ipv6: use READ_ONCE() for inet->hdrincl as in ipv4")
b9aa52c4cb45 ("ipv6: fix EFAULT on sendto with icmpv6 and hdrincl")
== Regression Potential ==
Low. Only impacts IPv6 raw sockets with IPV6_HDRINCL.
== Test Case ==
Copy/paste this code in a python3 interpreter:
IPPROTO_ICMPV6 = socket.
SOL_IPV6 = 41
IPV6_HDRINCL = 36
import socket
send_s = socket.
send_s.
# this is an IPv6 + ICMPv6 echo packet
req = b'`\x00\
send_s.sendto(req, ('3ffe::2', 0, 0, 0))
On error, it raises:
OSError: [Errno 14] Bad address
After the fix, no exception is raised.
---
ProblemType: Bug
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Jun 28 08:58 seq
crw-rw---- 1 root audio 116, 33 Jun 28 08:58 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay'
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
DistroRelease: Ubuntu 18.04
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig'
Lsusb: Error: [Errno 2] No such file or directory: 'lsusb': 'lsusb'
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:
ProcEnviron:
TERM=screen
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcFB:
ProcKernelCmdLine: BOOT_IMAGE=
ProcVersionSign
RelatedPackageV
linux-
linux-
linux-firmware 1.173.6
RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill'
Tags: bionic
Uname: Linux 4.15.0-50-generic x86_64
UnreportableReason: This report is about a package that is not installed.
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:
_MarkForUpload: False
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: rel-1.11.
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.
dmi.modalias: dmi:bvnSeaBIOS:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.
dmi.sys.vendor: QEMU
Changed in linux (Ubuntu Bionic): | |
status: | New → Fix Committed |
assignee: | nobody → Kamal Mostafa (kamalmostafa) |
Changed in linux (Ubuntu Disco): | |
status: | New → Fix Committed |
assignee: | nobody → Kamal Mostafa (kamalmostafa) |
Changed in linux (Ubuntu): | |
assignee: | nobody → Kamal Mostafa (kamalmostafa) |
Changed in linux (Ubuntu Disco): | |
status: | Fix Committed → Won't Fix |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1832828
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.