linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-12-29 17:25:38 +00:00

History

Sasha Levin 00d23e71b7 phonet: Check input from user before allocating commit `bcf1b70ac6` upstream. A phonet packet is limited to USHRT_MAX bytes, this is never checked during tx which means that the user can specify any size he wishes, and the kernel will attempt to allocate that size. In the good case, it'll lead to the following warning, but it may also cause the kernel to kick in the OOM and kill a random task on the server. [ 8921.744094] WARNING: at mm/page_alloc.c:2255 __alloc_pages_slowpath+0x65/0x730() [ 8921.749770] Pid: 5081, comm: trinity Tainted: G W 3.4.0-rc1-next-20120402-sasha #46 [ 8921.756672] Call Trace: [ 8921.758185] [<ffffffff810b2ba7>] warn_slowpath_common+0x87/0xb0 [ 8921.762868] [<ffffffff810b2be5>] warn_slowpath_null+0x15/0x20 [ 8921.765399] [<ffffffff8117eae5>] __alloc_pages_slowpath+0x65/0x730 [ 8921.769226] [<ffffffff81179c8a>] ? zone_watermark_ok+0x1a/0x20 [ 8921.771686] [<ffffffff8117d045>] ? get_page_from_freelist+0x625/0x660 [ 8921.773919] [<ffffffff8117f3a8>] __alloc_pages_nodemask+0x1f8/0x240 [ 8921.776248] [<ffffffff811c03e0>] kmalloc_large_node+0x70/0xc0 [ 8921.778294] [<ffffffff811c4bd4>] __kmalloc_node_track_caller+0x34/0x1c0 [ 8921.780847] [<ffffffff821b0e3c>] ? sock_alloc_send_pskb+0xbc/0x260 [ 8921.783179] [<ffffffff821b3c65>] __alloc_skb+0x75/0x170 [ 8921.784971] [<ffffffff821b0e3c>] sock_alloc_send_pskb+0xbc/0x260 [ 8921.787111] [<ffffffff821b002e>] ? release_sock+0x7e/0x90 [ 8921.788973] [<ffffffff821b0ff0>] sock_alloc_send_skb+0x10/0x20 [ 8921.791052] [<ffffffff824cfc20>] pep_sendmsg+0x60/0x380 [ 8921.792931] [<ffffffff824cb4a6>] ? pn_socket_bind+0x156/0x180 [ 8921.794917] [<ffffffff824cb50f>] ? pn_socket_autobind+0x3f/0x90 [ 8921.797053] [<ffffffff824cb63f>] pn_socket_sendmsg+0x4f/0x70 [ 8921.798992] [<ffffffff821ab8e7>] sock_aio_write+0x187/0x1b0 [ 8921.801395] [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0 [ 8921.803501] [<ffffffff8111842c>] ? __lock_acquire+0x42c/0x4b0 [ 8921.805505] [<ffffffff821ab760>] ? __sock_recv_ts_and_drops+0x140/0x140 [ 8921.807860] [<ffffffff811e07cc>] do_sync_readv_writev+0xbc/0x110 [ 8921.809986] [<ffffffff811958e7>] ? might_fault+0x97/0xa0 [ 8921.811998] [<ffffffff817bd99e>] ? security_file_permission+0x1e/0x90 [ 8921.814595] [<ffffffff811e17e2>] do_readv_writev+0xe2/0x1e0 [ 8921.816702] [<ffffffff810b8dac>] ? do_setitimer+0x1ac/0x200 [ 8921.818819] [<ffffffff810e2ec1>] ? get_parent_ip+0x11/0x50 [ 8921.820863] [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0 [ 8921.823318] [<ffffffff811e1926>] vfs_writev+0x46/0x60 [ 8921.825219] [<ffffffff811e1a3f>] sys_writev+0x4f/0xb0 [ 8921.827127] [<ffffffff82658039>] system_call_fastpath+0x16/0x1b [ 8921.829384] ---[ end trace dffe390f30db9eb7 ]--- Signed-off-by: Sasha Levin <levinsasha928@gmail.com> Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>		2014-02-10 16:11:38 -05:00
..
9p	net/9p: Fix the msize calculation.	2012-08-17 15:35:13 -04:00
802	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
8021q	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
appletalk	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
atm	atm: update msg_namelen in vcc_recvmsg()	2014-02-10 16:10:49 -05:00
ax25	ax25: fix info leak via msg_name in ax25_recvmsg()	2014-02-10 16:10:49 -05:00
bluetooth	Bluetooth: fix possible info leak in bt_sock_recvmsg()	2014-02-10 16:11:17 -05:00
bridge	bridge: set priority of STP packets	2014-02-10 16:10:54 -05:00
can	can: add missing socket check in can/raw release	2012-03-14 10:57:20 -04:00
core	drop_monitor: dont sleep in atomic context	2014-02-10 16:10:59 -05:00
dcb	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
dccp	dccp: check ccid before dereferencing	2014-02-10 16:11:33 -05:00
decnet	net: avoid limits overflow	2011-04-17 16:15:55 -04:00
dsa	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
econet	econet: 4 byte infoleak to the network	2011-06-26 12:47:21 -04:00
ethernet	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
ieee802154	ieee802154: Fix oops during ieee802154_sock_ioctl	2010-04-26 11:20:32 -07:00
ipv4	cipso: don't follow a NULL pointer when setsockopt() is called	2014-02-10 16:11:36 -05:00
ipv6	ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data	2014-02-10 16:10:45 -05:00
ipx	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
irda	irda: prevent heap corruption on invalid nickname	2012-03-14 10:56:56 -04:00
iucv	iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()	2014-02-10 16:10:48 -05:00
key	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
lapb	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
llc	llc: Fix missing msg_namelen update in llc_ui_recvmsg()	2014-02-10 16:10:48 -05:00
mac80211	mac80211: Restart STA timers only on associated state	2012-05-17 11:21:16 -04:00
netfilter	ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)	2014-02-10 16:10:50 -05:00
netlabel	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6	2010-04-06 08:34:06 -07:00
netlink	netlink: fix races after skb queueing	2014-02-10 16:10:56 -05:00
netrom	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
packet	af_packet: remove BUG statement in tpacket_destruct_skb	2014-02-10 16:10:54 -05:00
phonet	phonet: Check input from user before allocating	2014-02-10 16:11:38 -05:00
rds	rds: set correct msg_namelen	2014-02-10 16:10:47 -05:00
rfkill	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
rose	rose: fix info leak via msg_name in rose_recvmsg()	2014-02-10 16:10:47 -05:00
rxrpc	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
sched	net_sched: gred: Fix oops in gred_dump() in WRED mode	2014-02-10 16:10:55 -05:00
sctp	sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails	2014-02-10 16:10:51 -05:00
sunrpc	svcrpc: fix svc_xprt_enqueue/svc_recv busy-looping	2014-02-10 16:11:34 -05:00
tipc	net: tipc: fix information leak to userland	2011-06-26 12:47:18 -04:00
unix	unix: fix a race condition in unix_release()	2014-02-10 16:10:51 -05:00
wanrouter	headers: smp_lock.h redux	2009-07-12 12:22:34 -07:00
wimax	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
wireless	nl80211: fix MAC address validation	2013-01-16 16:44:59 -05:00
x25	x25: Prevent skb overreads when checking call user data	2012-08-17 15:35:24 -04:00
xfrm	xfrm_user: return error pointer instead of NULL #2	2014-02-10 16:11:00 -05:00
compat.c	net: Limit socket I/O iovec total length to INT_MAX.	2011-04-17 16:15:59 -04:00
Kconfig	net/compat/wext: send different messages to compat tasks	2009-07-15 08:53:39 -07:00
Makefile	net: remove redundant sched/ in net/Makefile	2009-07-12 20:11:14 -07:00
nonet.c
socket.c	net: fix info leak in compat dev_ifconf()	2014-02-10 16:10:52 -05:00
sysctl_net.c	net: spread __net_init, __net_exit	2010-01-17 19:16:02 -08:00
TUNABLE