Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash

To: Luca Boccassi <bluca@debian.org>
Cc: David Ahern <dsahern@kernel.org>, Robin <imer@imer.cc>, Bernhard Übelacker <bernhardu@mailbox.org>, 1032642@bugs.debian.org
Subject: Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash
From: Stephen Hemminger <stephen@networkplumber.org>
Date: Mon, 3 Apr 2023 08:24:29 -0700
Message-id: <[🔎] 20230403082429.7a8ae121@hermes.local>
Reply-to: Stephen Hemminger <stephen@networkplumber.org>, 1032642@bugs.debian.org
In-reply-to: <[🔎] CAMw=ZnQgn7yBDt6M2EW9CGkPTutuPU_L3-oC4j4Fzz9d+dyMPQ@mail.gmail.com>
References: <167845436438.274679.18241562197887210490.reportbug@localhost> <954dd7fa-933a-eef0-be73-de6fc7b61df5@mailbox.org> <[🔎] CAMw=ZnQgn7yBDt6M2EW9CGkPTutuPU_L3-oC4j4Fzz9d+dyMPQ@mail.gmail.com> <167845436438.274679.18241562197887210490.reportbug@localhost>

ted
> 
> This happens because iproute2 just assumes the tunnel is ipv4, but the
> kernel "knows" it's actually ip6gre so when calling the SIOCGETTUNNEL
> ioctl it writes back a struct ip6_tnl_parm2 into the struct
> ip_tunnel_parm which is smaller, so the stack gets overwritten. Is
> there any way to tell from userspace whether a gre is v4 or v6 before
> doing an ioctl? The ioctls don't take/return a size parameter as far
> as I can see...

Ip uses and IPv4 UDP socket when it thinks it is talking to GRE.
And a IPv6 UDP socket when it is talking to GRE6.

So the kernel could check and error out?

Reply to:

Follow-Ups:
- Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash
  - From: David Ahern <dsahern@kernel.org>

References:
- Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash
  - From: Luca Boccassi <bluca@debian.org>

Prev by Date: Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash
Next by Date: Bug#1033911: please enable the experimental Xtensa backend in LLVM and Clang 16+
Previous by thread: Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash
Next by thread: Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash
Index(es):
- Date
- Thread