Re: [PATCH net v3] ipv6: validate extension header length before copying to cmsg

[Paolo Abeni]

On 4/23/26 12:32 PM, Qi Tang wrote:
> ip6_datagram_recv_specific_ctl() builds IPV6_{HOPOPTS,DSTOPTS,RTHDR}
> cmsgs (and their IPV6_2292* legacy counterparts) by trusting the
> on-wire hdrlen byte (ptr[1]) when computing the put_cmsg() length.
> The length was validated only at parse time (ipv6_parse_hopopts(),
> etc.).  An nftables payload-write expression can rewrite hdrlen after
> parsing and before the skb reaches recvmsg; the write itself is
> in-bounds but put_cmsg() then reads up to ((hdrlen+1) << 3) = 2040
> bytes from an 8-byte header.  nftables is reachable from an
> unprivileged user namespace, so this is an unprivileged
> slab-out-of-bounds read:
> 
>   BUG: KASAN: slab-out-of-bounds in put_cmsg+0x3ac/0x540
>    put_cmsg+0x3ac/0x540
>    udpv6_recvmsg+0xca0/0x1250
>    sock_recvmsg+0xdf/0x190
>    ____sys_recvmsg+0x1b1/0x620
> 
> Add ipv6_get_exthdr_len() which computes the extension header length
> and validates it against skb_tail_pointer(skb), returning 0 on
> failure.  Extension headers are kept in the linear skb area by
> pskb_may_pull() during input, so skb_tail_pointer() is the correct
> bound.
> 
> Use ipv6_get_exthdr_len() at all non-AH call sites: the five
> standalone cmsg blocks (HbH, 2292HbH, 2292DSTOPTS x2, 2292RTHDR)
> and the three standard cases in the extension-header walk loop
> (DSTOPTS, ROUTING, default).  AH retains an inline bounds check
> because its length formula differs ((ptr[1]+2)<<2).
> 
> When the walk loop detects a corrupted header, return from the
> function instead of continuing to process later socket options.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Qi Tang <tpluszz77@xxxxxxxxx>
> ---
> Changes v2 -> v3:
>   - Resend as new thread (v2 was incorrectly sent as reply to v1)
> 
> Changes v1 -> v2 (Paolo Abeni):
>   - Factor repeated bounds-check + put_cmsg into ipv6_get_exthdr_len()
>   - Return from the function on corrupted walk-loop entry instead of
>     goto + empty label
> 
> v2: https://lore.kernel.org/netdev/20260423102255.3752004-1-tpluszz77@xxxxxxxxx/
> v1: https://lore.kernel.org/netdev/20260419150344.624673-1-tpluszz77@xxxxxxxxx/
> 
>  net/ipv6/datagram.c | 46 +++++++++++++++++++++++++++++++++++++--------
>  1 file changed, 38 insertions(+), 8 deletions(-)
> 
> diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
> index 972bf0426d59..0a7b74d5f402 100644
> --- a/net/ipv6/datagram.c
> +++ b/net/ipv6/datagram.c
> @@ -617,6 +617,13 @@ void ip6_datagram_recv_common_ctl(struct sock *sk, struct msghdr *msg,
>  	}
>  }
>  
> +static u16 ipv6_get_exthdr_len(const struct sk_buff *skb, const u8 *ptr)
> +{
> +	u16 len = (ptr[1] + 1) << 3;

Sashiko notes that you should validate even this offset (1) before
accessing it.

You may also consider switching to pskb_may_pull().

/P