Bug#1032642: iproute2: ip tunnel change ip6gre to gre crashes with stack smash
On Mon, 3 Apr 2023 20:47:01 -0600
David Ahern <dsahern@kernel.org> wrote:
> On 4/3/23 9:24 AM, Stephen Hemminger wrote:
> > ted
> >>
> >> This happens because iproute2 just assumes the tunnel is ipv4, but the
> >> kernel "knows" it's actually ip6gre so when calling the SIOCGETTUNNEL
> >> ioctl it writes back a struct ip6_tnl_parm2 into the struct
> >> ip_tunnel_parm which is smaller, so the stack gets overwritten. Is
> >> there any way to tell from userspace whether a gre is v4 or v6 before
> >> doing an ioctl? The ioctls don't take/return a size parameter as far
> >> as I can see...
> >
> > Ip uses and IPv4 UDP socket when it thinks it is talking to GRE.
> > And a IPv6 UDP socket when it is talking to GRE6.
> >
> > So the kernel could check and error out?
> >
>
> Does seem like a kernel bug and a well known design flaw in ioctl
> interface (assuming buffer of a specific size). The best iproute2 can do
> is have `old_p` be a larger size (e.g., ip6_tnl_parm2) to avoid the
> overrun, but then the result is nonsense with no way for it no an ipv6
> struct was passed back. The crash at least indicates something is off.
I started to look into redoing the whole 'ip tunnel XXX' as just a remapping
of arguments and calling the equivalent 'ip link ... type YYY' and it is doable
for the basic stuff.
Then starting looking at the Potential Router List (PRL) stuff.
Looks like this is only supported through ioctl().
Definitely a dusty dark corner of networking code with rarely used features.
Plus things like, the code to get PRL will allow bigger get if called
from root vs non-root user??
Reply to: