linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-07 05:55:44 +02:00

History

Eric Dumazet 70b7b3c055 net/packet: fix slab-out-of-bounds access in packet_recvmsg() [ Upstream commit `c700525fcc` ] syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH and mmap operations, tpacket_rcv() is queueing skbs with garbage in skb->cb[], triggering a too big copy [1] Presumably, users of af_packet using mmap() already gets correct metadata from the mapped buffer, we can simply make sure to clear 12 bytes that might be copied to user space later. BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631 CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x39/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:225 [inline] packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fdfd5954c29 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005 RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60 R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54 </TASK> addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame: ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246 this frame has 1 object: [32, 160) 'addr' Memory state around the buggy address: ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 >ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 ^ ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 ================================================================== Fixes: `0fb375fb9b` ("[AF_PACKET]: Allow for > 8 byte hardware addresses.") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2022-03-23 09:13:27 +01:00
..
6lowpan	6lowpan: iphc: Fix an off-by-one check of array index	2021-09-15 09:50:34 +02:00
9p	xen/9p: use alloc/free_pages_exact()	2022-03-11 12:11:54 +01:00
802	net/802/garp: fix memleak in garp_request_join()	2021-07-31 08:16:11 +02:00
8021q	net: vlan: fix underflow for the real_dev refcnt	2021-12-01 09:19:08 +01:00
appletalk
atm
ax25	ax25: Fix NULL pointer dereference in ax25_kill_by_device	2022-03-16 14:15:58 +01:00
batman-adv	batman-adv: Don't expect inter-netns unique iflink indices	2022-03-08 19:09:33 +01:00
bluetooth	Bluetooth: refactor malicious adv data check	2022-02-01 17:25:38 +01:00
bpf	bpf, test, cgroup: Use sk_{alloc,free} for test cases	2021-10-27 09:56:56 +02:00
bpfilter	bpfilter: Specify the log level for the kmsg message	2021-07-14 16:56:29 +02:00
bridge	net: bridge: vlan: fix memory leak in __allowed_ingress	2022-02-01 17:25:48 +01:00
caif	net-caif: avoid user-triggerable WARN_ON(1)	2021-09-22 12:27:56 +02:00
can	can: isotp: add SF_BROADCAST support for functional addressing	2022-02-23 12:00:56 +01:00
ceph
core	net-sysfs: add check for netdevice being present to speed_show	2022-03-16 14:16:00 +01:00
dcb	net: dcb: disable softirqs in dcbnl_flush_dev()	2022-03-08 19:09:37 +01:00
dccp	tcp: switch orphan_count to bare per-cpu counters	2021-11-18 14:04:08 +01:00
decnet	net: decnet: Fix sleeping inside in af_decnet	2021-07-28 14:35:38 +02:00
dns_resolver
dsa	net: dsa: don't allocate the slave_mii_bus using devres	2021-09-30 10:11:02 +02:00
ethernet
ethtool	ethtool: do not perform operations on net devices being unregistered	2021-12-17 10:14:41 +01:00
hsr
ieee802154	net: ieee802154: Return meaningful error codes from the netlink helpers	2022-02-08 18:30:37 +01:00
ife
ipv4	tcp: make tcp_read_sock() more robust	2022-03-19 13:44:46 +01:00
ipv6	esp6: fix check on ipv6_skip_exthdr's return value	2022-03-23 09:13:27 +01:00
iucv
kcm
key	xfrm: Check if_id in xfrm_migrate	2022-03-19 13:44:43 +01:00
l2tp	net/l2tp: Fix reference count leak in l2tp_udp_recv_core	2021-09-22 12:27:56 +02:00
l3mdev
lapb
llc	net: llc: fix skb_over_panic	2021-08-04 12:46:43 +02:00
mac80211	mac80211: refuse aggregations sessions before authorized	2022-03-19 13:44:44 +01:00
mac802154
mpls	net: mpls: Fix notifications when deleting a device	2021-12-08 09:03:23 +01:00
mptcp	mptcp: clear 'kern' flag from fallback sockets	2021-12-22 09:30:54 +01:00
ncsi	net/ncsi: check for error return from call to nla_put_u32	2022-01-05 12:40:32 +01:00
netfilter	netfilter: nf_queue: handle socket prefetch	2022-03-08 19:09:33 +01:00
netlabel	net: fix NULL pointer reference in cipso_v4_doi_free	2021-09-18 13:40:35 +02:00
netlink	net: netlink: af_netlink: Prevent empty skb by adding a check on len.	2021-12-17 10:14:40 +01:00
netrom	netrom: fix api breakage in nr_setsockopt()	2022-01-27 10:54:03 +01:00
nfc	nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()	2022-01-27 10:53:41 +01:00
nsh
openvswitch	openvswitch: Fix setting ipv6 fields causing hw csum failure	2022-03-02 11:42:49 +01:00
packet	net/packet: fix slab-out-of-bounds access in packet_recvmsg()	2022-03-23 09:13:27 +01:00
phonet	phonet: refcount leak in pep_sock_accep	2022-01-11 15:25:01 +01:00
psample
qrtr	net: qrtr: fix another OOB Read in qrtr_endpoint_post	2021-09-03 10:09:21 +02:00
rds	rds: memory leak in __rds_conn_create()	2021-12-22 09:30:54 +01:00
rfkill
rose
rxrpc	rxrpc: Adjust retransmission backoff	2022-02-01 17:25:46 +01:00
sched	net/sched: act_ct: Fix flow table lookup after ct clear or switching zones	2022-03-02 11:42:50 +01:00
sctp	sctp: fix the processing for INIT chunk	2022-03-19 13:44:42 +01:00
smc	net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error cause by server	2022-03-08 19:09:33 +01:00
strparser	bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding	2021-11-18 14:04:27 +01:00
sunrpc	xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create	2022-02-23 12:01:06 +01:00
switchdev
tipc	tipc: fix incorrect order of state message data sanity check	2022-03-16 14:15:58 +01:00
tls	net/tls: Fix authentication failure in CCM mode	2021-12-08 09:03:29 +01:00
unix	af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress	2022-01-27 10:54:31 +01:00
vmw_vsock	vsock: each transport cycles only on its own sockets	2022-03-23 09:13:27 +01:00
wimax
wireless	nl80211: Update bss channel on channel switch for P2P_CLIENT	2022-03-19 13:44:45 +01:00
x25
xdp	Revert "xsk: Do not sleep in poll() when need_wakeup set"	2021-12-22 09:30:59 +01:00
xfrm	xfrm: Fix xfrm migrate issues when address family changes	2022-03-19 13:44:43 +01:00
compat.c
devres.c
Kconfig
Makefile
socket.c	ethtool: improve compat ioctl handling	2021-09-18 13:40:21 +02:00
sysctl_net.c