From nobody Sat Feb  7 15:40:04 2026
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC0B534A3DF
	for <linux-kernel@vger.kernel.org>; Fri, 23 Jan 2026 01:15:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769130935; cv=none;
 b=OTrUMSJn4MQvHEQC9JrYqI1fYTCSVbscmbTuyjmTXfctjITe9BnyfZVNfHu1ud0ZIV1WS5tzaCUqZyv7nMF9Z0qdnrK5Wv9O2ayN4/FSFk6aE4hBumw23Hfm+sNC/AwXkFhMBLm9AHQ7P2Q7PhixOuBIkZmBzOA+ZKvE/rx0RWI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769130935; c=relaxed/simple;
	bh=gIH5qfA5AoXyWmtDMjbV69xS6bzI8RoKE7RZKzgs4nw=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=GGhhxOqwaf7BomzAgEnfN3ycC+DMyMe7DppKwmz6pfl9VEXPnfK8KFtUuZS0VPl77QlkWFlwvtIR2WM9P4uZsdsPGCN9BuBCs5Eenuna3eeDDSWycLxTihQepQJ7XOGbancAQsxtLWccBSyqgSKfP6KJxYkdcbeIW5CG9rDcUsE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=TeRryTVV; arc=none smtp.client-ip=209.85.214.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="TeRryTVV"
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-2a76f90872cso8914985ad.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 22 Jan 2026 17:15:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769130924; x=1769735724;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=PExmS+XqEykLWLrYOMzWy5MTaT6ZAIKFuYbZQQhQkzQ=;
        b=TeRryTVV1QyVICeCtzPaXc7lUdyEo4pWRGCJX1SRCrXl6eId5yuxqqQbnkYJbvXoMI
         I0+gGmaHF9BHw5yXvrNnsxgyio6MrjWIPc0WmRM3emAUSfpRj8hWk5jdwpNDXYcqMNYr
         pd49Ga295QZ3RzGLv/2/cyydXPOAQFz0Ruuygl9wLUeivnLFPQ19bLBrfZMDqtdXWAgQ
         zUY/p/azgYuqtR6VywgwWtTYOLbsDhty5ebTyH1K6XW2eVPKwoRt4LpuEC5FMzBHcHah
         FBAGLDejbLoZCXhPjXzPnZ3k3HVK6al1h1Y2ivAcpn9v84g1Q9KmfqgpyGm07yNYJmPj
         0mEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769130924; x=1769735724;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=PExmS+XqEykLWLrYOMzWy5MTaT6ZAIKFuYbZQQhQkzQ=;
        b=fxysO9Q3qGVntt+h3y/JGZ5B8V1q9ugY+aKYIxKo2sXOkVDiFiNlcrE1K/6eJxf7Fe
         bX6OGO5qX/ux7xpZlmh3F9LbJZe9eUa+XLq/SGZucIbzehh8nhi9QR5b94hc16BEyOfS
         jKnyyWZ2ot8TVIisZCzkEQm16v9Gvqe2B5uAe3tANpfSYBiTq1FwSlB+uAcX0bySV5I4
         iOCvro30kYxQPcMQiNc3JzzSWjsbcCwzuEIEe75H51aRZPEO4m/Tauu/dkB48sYw96Zj
         3OFdrxCPzSEXxJHPHSy1L1E36Ovw1vuAlqga4f5JcjiojDfGlULhoG5arhk1VfijH1M6
         l4qA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWQACRzZx5HOR2FWh1AtDuTK5R8s1GTGzMG4TnXAC5sHhLeXovjTUMpp4TwbuFlFVmEE2rRKqpDgg/dlR8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx1YRKKqDoooOdKUeKScYagwE+QDQAJ+spAJgoPNiN7kyewRH7O
	5e0yueup03Zy5/8wdXmljKJjxd5JR+ZWggVkV3dxhSTOnIFpsOOL5uo=
X-Gm-Gg: AZuq6aISjjBqC4wrt6Gvx36bI2dPScwwanv1K697/Z/oXR6W+BJgm9LO+VSFlq3diGC
	/uGGydYLNzuSElDYXh/NZ3HYXtW7ZHNG3hLxCg3Tdq7cH9gHsk/8UMl8r175e8pegLbbgEbNqFv
	x4FPwQDR6MjQySQBEzvlGzmfgm4OxJt9DpyFauLIw2wfNOpJ/EAcf2N0ycd4w1f28Hr4zRtoS/4
	yAfdCtV47IEc8rq8VvvzExI2CO7u0otBAiKNmy0vvkZVKauSGylcV4XCdNQLRe3i7C2684mRGdU
	TKcu6GQCx0FAW45LNnsmHKQTvvXZ3W3UNyPFLR6uk4TS/cXNZHP5yNTQOx/sqK6uiYycHgGyAK7
	X/jzv+tUKX8mOJ7nPPaqr4ULmpoz7E3vm9vOpjZiM+RCTwOf7IvGRe2tdj2Eu6YsajbIapuYK/y
	EzZntvTiQshV6kj9U=
X-Received: by 2002:a17:903:3583:b0:29f:1738:348e with SMTP id
 d9443c01a7336-2a7fe571d3dmr11807365ad.15.1769130923801;
        Thu, 22 Jan 2026 17:15:23 -0800 (PST)
Received: from DESKTOP-BKIPFGN ([38.76.140.13])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2a802f97a81sm3989745ad.47.2026.01.22.17.15.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 22 Jan 2026 17:15:23 -0800 (PST)
From: Kery Qi <qikeyu2017@gmail.com>
To: davem@davemloft.net,
	dsahern@kernel.org,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com
Cc: horms@kernel.org,
	kaber@trash.net,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Kery Qi <qikeyu2017@gmail.com>
Subject: [PATCH] ipv6: ip6mr: check socket type and protocol in ip6mr_ioctl
 and ip6mr_compat_ioctl
Date: Fri, 23 Jan 2026 09:14:45 +0800
Message-ID: <20260123011444.2044-2-qikeyu2017@gmail.com>
X-Mailer: git-send-email 2.50.1.windows.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

commit 99253eb750fd ("ipv6: check sk sk_type and protocol early in
ip_mroute_set/getsockopt") fixed the issue for ip6_mroute_setsockopt()
and ip6_mroute_getsockopt() by checking socket type and protocol
before accessing raw6_sk(sk)->ip6mr_table.

However, ip6mr_ioctl() and ip6mr_compat_ioctl() were missed in that fix
and have the same problem: they access raw6_sk(sk)->ip6mr_table without
first verifying that the socket is a raw socket with IPPROTO_ICMPV6
protocol.

This allows a permission bypass where a user with CAP_NET_RAW can create
a non-ICMPv6 raw socket (e.g., IPPROTO_UDP, IPPROTO_TCP, or any other
protocol) and use SIOCGETMIFCNT_IN6 or SIOCGETSGCNT_IN6 ioctls to query
IPv6 multicast routing statistics. This bypasses the access control that
restricts mroute operations to ICMPv6 sockets only.

For example, the following would succeed on a vulnerable kernel:

    int fd =3D socket(AF_INET6, SOCK_RAW, IPPROTO_UDP);
    struct sioc_mif_req6 req =3D { .mifi =3D 0 };
    ioctl(fd, SIOCGETMIFCNT_IN6, &req);  // should fail with EOPNOTSUPP

While the direct security impact is limited to information disclosure of
multicast routing statistics, this violates the intended access control
model where only ICMPv6 raw sockets should be able to access mroute
functionalities.

Add the same socket type and protocol check at the beginning of both
ip6mr_ioctl() and ip6mr_compat_ioctl() to ensure only ICMPv6 raw sockets
can access multicast routing ioctls.

Fixes: e2d57766e674 ("net: Provide compat support for SIOCGETMIFCNT_IN6 and=
 SIOCGETSGCNT_IN6.")
Fixes: d1db275dd3f6 ("ipv6: ip6mr: support multiple tables")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
 net/ipv6/ip6mr.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index e047a4680ab0..35f941861008 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1906,6 +1906,10 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void *arg)
 	struct net *net =3D sock_net(sk);
 	struct mr_table *mrt;
=20
+	if (sk->sk_type !=3D SOCK_RAW ||
+	    inet_sk(sk)->inet_num !=3D IPPROTO_ICMPV6)
+		return -EOPNOTSUPP;
+
 	mrt =3D ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
 	if (!mrt)
 		return -ENOENT;
@@ -1974,6 +1978,10 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int=
 cmd, void __user *arg)
 	struct net *net =3D sock_net(sk);
 	struct mr_table *mrt;
=20
+	if (sk->sk_type !=3D SOCK_RAW ||
+	    inet_sk(sk)->inet_num !=3D IPPROTO_ICMPV6)
+		return -EOPNOTSUPP;
+
 	mrt =3D ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
 	if (!mrt)
 		return -ENOENT;
--=20
2.34.1