github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 06:25:52 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
ef9a6df09c
linux/include
History
Willem de Bruijn b228c9b058 net: expand textsearch ts_state to fit skb_seq_state 
The referenced commit expands the skb_seq_state used by
skb_find_text with a 4B frag_off field, growing it to 48B.

This exceeds container ts_state->cb, causing a stack corruption:

[   73.238353] Kernel panic - not syncing: stack-protector: Kernel stack
is corrupted in: skb_find_text+0xc5/0xd0
[   73.247384] CPU: 1 PID: 376 Comm: nping Not tainted 5.11.0+ #4
[   73.252613] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.14.0-2 04/01/2014
[   73.260078] Call Trace:
[   73.264677]  dump_stack+0x57/0x6a
[   73.267866]  panic+0xf6/0x2b7
[   73.270578]  ? skb_find_text+0xc5/0xd0
[   73.273964]  __stack_chk_fail+0x10/0x10
[   73.277491]  skb_find_text+0xc5/0xd0
[   73.280727]  string_mt+0x1f/0x30
[   73.283639]  ipt_do_table+0x214/0x410

The struct is passed between skb_find_text and its callbacks
skb_prepare_seq_read, skb_seq_read and skb_abort_seq read through
the textsearch interface using TS_SKB_CB.

I assumed that this mapped to skb->cb like other .._SKB_CB wrappers.
skb->cb is 48B. But it maps to ts_state->cb, which is only 40B.

skb->cb was increased from 40B to 48B after ts_state was introduced,
in commit 3e3850e989 ("[NETFILTER]: Fix xfrm lookup in
ip_route_me_harder/ip6_route_me_harder").

Increase ts_state.cb[] to 48 to fit the struct.

Also add a BUILD_BUG_ON to avoid a repeat.

The alternative is to directly add a dependency from textsearch onto
linux/skbuff.h, but I think the intent is textsearch to have no such
dependencies on its callers.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=211911
Fixes: 97550f6fa5 ("net: compound page support in skb_seq_read")
Reported-by: Kris Karas <bugs-a17@moonlit-rail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-03-01 15:25:24 -08:00
..
acpi IOMMU Updates for Linux v5.12 2021-02-22 10:31:29 -08:00
asm-generic - added n64 block driver 2021-02-25 12:18:21 -08:00
clocksource
crypto Keyrings miscellany 2021-02-23 16:09:23 -08:00
drm drm/drm_vblank: set the dma-fence timestamp during send_vblank_event 2021-02-24 21:05:54 +05:30
dt-bindings Char/Misc driver patches for 5.12-rc1 2021-02-24 10:25:37 -08:00
keys
kunit
kvm
linux net: expand textsearch ts_state to fit skb_seq_state 2021-03-01 15:25:24 -08:00
math-emu
media Fixes around VM_FPNMAP and follow_pfn 2021-02-22 17:45:02 -08:00
memory
misc
net net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-02-23 11:29:52 -08:00
pcmcia
ras
rdma RDMA/ipoib: Remove racy Subnet Manager sendonly join checks 2021-02-16 14:42:58 -04:00
scsi
soc IOMMU Updates for Linux v5.12 2021-02-22 10:31:29 -08:00
sound ASoC: Updates for v5.12 2021-02-17 21:16:27 +01:00
target
trace mm/swap.c: don't pass "enum lru_list" to trace_mm_lru_insertion() 2021-02-24 13:38:33 -08:00
uapi Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 2021-02-26 13:16:31 -08:00
vdso
video
xen x86: 2021-02-21 13:31:43 -08:00