Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-07 13:43:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
14e138a86f
linux-stable/net
History
Avinash Repaka 14e138a86f RDS: Check cmsg_len before dereferencing CMSG_DATA 
RDS currently doesn't check if the length of the control message is
large enough to hold the required data, before dereferencing the control
message data. This results in following crash:

BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
[inline]
BUG: KASAN: stack-out-of-bounds in rds_sendmsg+0x1f02/0x1f90
net/rds/send.c:1066
Read of size 8 at addr ffff8801c928fb70 by task syzkaller455006/3157

CPU: 0 PID: 3157 Comm: syzkaller455006 Not tainted 4.15.0-rc3+ #161
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 rds_rdma_bytes net/rds/send.c:1013 [inline]
 rds_sendmsg+0x1f02/0x1f90 net/rds/send.c:1066
 sock_sendmsg_nosec net/socket.c:628 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:638
 ___sys_sendmsg+0x320/0x8b0 net/socket.c:2018
 __sys_sendmmsg+0x1ee/0x620 net/socket.c:2108
 SYSC_sendmmsg net/socket.c:2139 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2134
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x43fe49
RSP: 002b:00007fffbe244ad8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe49
RDX: 0000000000000001 RSI: 000000002020c000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004017b0
R13: 0000000000401840 R14: 0000000000000000 R15: 0000000000000000

To fix this, we verify that the cmsg_len is large enough to hold the
data to be read, before proceeding further.

Reported-by: syzbot <syzkaller-bugs@googlegroups.com>
Signed-off-by: Avinash Repaka <avinash.repaka@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-27 10:37:23 -05:00
..
6lowpan License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
9p make sock_alloc_file() do sock_release() on failures 2017-12-05 18:39:29 -05:00
802 treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-12 09:17:05 +09:00
appletalk treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
atm treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
ax25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
batman-adv batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq 2017-12-04 11:47:33 +01:00
bluetooth treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
bpf bpf: add meta pointer for direct access 2017-09-26 13:36:44 -07:00
bridge net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks 2017-12-18 13:29:01 -05:00
caif License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
can treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
ceph We have a set of file locking improvements from Zheng, rbd rw/ro 2017-11-21 05:38:32 -10:00
core skbuff: skb_copy_ubufs must release uarg even without user frags 2017-12-21 15:00:58 -05:00
dcb rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
dccp dccp: CVE-2017-8824: use-after-free in DCCP code 2017-12-05 18:08:53 -05:00
decnet treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
dns_resolver KEYS: Fix race between updating and finding a negative key 2017-10-18 09:12:40 +01:00
dsa net: remove duplicate includes 2017-12-13 13:18:46 -05:00
ethernet networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
hsr net: hsr: Convert timers to use timer_setup() 2017-10-25 13:00:27 +09:00
ieee802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
ife MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
ipv4 ipv4: Fix use-after-free when flushing FIB tables 2017-12-20 15:12:39 -05:00
ipv6 ip6_gre: fix device features for ioctl setup 2017-12-26 12:21:19 -05:00
ipx Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
iucv iucv: Convert sk_wmem_alloc accesses to refcount_t. 2017-07-03 02:31:22 -07:00
kcm make sock_alloc_file() do sock_release() on failures 2017-12-05 18:39:29 -05:00
key af_key: replace BUG_ON on WARN_ON in net_exit hook 2017-11-14 15:45:52 +09:00
l2tp l2tp: exit_net cleanup check added 2017-11-14 15:45:53 +09:00
l3mdev
lapb treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
llc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
mac80211 mac80211: fix locking in ieee80211_sta_tear_down_BA_sessions 2017-12-11 10:50:00 +01:00
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
mpls Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
ncsi treewide: setup_timer() -> timer_setup() (2 field) 2017-11-21 15:57:09 -08:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2017-12-13 14:12:20 -05:00
netlabel net/netlabel: Add list_next_rcu() in rcu_dereference(). 2017-11-18 10:32:41 +09:00
netlink netlink: Add netns check on taps 2017-12-11 11:58:18 -05:00
netrom treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
nfc treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
nsh openvswitch: enable NSH support 2017-11-08 16:12:33 +09:00
openvswitch openvswitch: Fix pop_vlan action for double tagged frames 2017-12-21 13:02:08 -05:00
packet net/packet: fix a race in packet_bind() and packet_notifier() 2017-11-28 11:13:30 -05:00
phonet phonet: exit_net cleanup check added 2017-11-14 15:45:53 +09:00
psample MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-10 10:00:18 +09:00
rds RDS: Check cmsg_len before dereferencing CMSG_DATA 2017-12-27 10:37:23 -05:00
rfkill net: rfkill: gpio: Switch to devm_acpi_dev_add_driver_gpios() 2017-06-13 11:07:51 +02:00
rose treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
rxrpc rxrpc: Use correct netns source in rxrpc_release_sock() 2017-12-03 10:05:20 -05:00
sched net: sched: fix possible null pointer deref in tcf_block_put 2017-12-26 13:02:05 -05:00
sctp sctp: add SCTP_CID_RECONF conversion in sctp_cname 2017-12-18 13:21:46 -05:00
smc net/smc: Fix preinitialization of buf_desc in __smc_buf_create() 2017-11-24 01:33:34 +09:00
strparser strparser: Use delayed work instead of timer for msg timeout 2017-10-25 10:37:11 +09:00
sunrpc NFS client fixes for Linux 4.15-rc4 2017-12-16 13:12:53 -08:00
switchdev net: bridge: Add/del switchdev object on host join/leave 2017-11-10 13:41:40 +09:00
tipc tipc: fix memory leak of group member when peer node is lost 2017-12-26 13:06:36 -05:00
tls tls: don't override sk_write_space if tls_set_sw_offload fails. 2017-11-14 16:26:35 +09:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
vmw_vsock VSOCK: fix outdated sk_state value in hvs_release() 2017-12-05 15:07:37 -05:00
wimax License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wireless cfg80211: ship certificates as hex files 2017-12-19 09:28:01 +01:00
x25 treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
xfrm treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
compat.c net: compat: assert the size of cmsg copied in is as expected 2017-09-20 15:36:18 -07:00
Kconfig net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros. 2017-09-04 13:25:20 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
socket.c make sock_alloc_file() do sock_release() on failures 2017-12-05 18:39:29 -05:00
sysctl_net.c sysctl: Remove dead register_sysctl_root 2017-04-16 23:42:49 -05:00