iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Nikolay Aleksandrov 1abb371147 net: bridge: xmit: make sure we have at least eth header len bytes 
[ Upstream commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc ]

syzbot triggered an uninit value[1] error in bridge device's xmit path
by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
we can actually pull that amount instead of assuming.

Tested with dropwatch:
 drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
 origin: software
 timestamp: Mon May 13 11:31:53 2024 778214037 nsec
 protocol: 0x88a8
 length: 2
 original length: 2
 drop reason: PKT_TOO_SMALL

[1]
BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
 __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 netdev_start_xmit include/linux/netdevice.h:4917 [inline]
 xmit_one net/core/dev.c:3531 [inline]
 dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341
 dev_queue_xmit include/linux/netdevice.h:3091 [inline]
 __bpf_tx_skb net/core/filter.c:2136 [inline]
 __bpf_redirect_common net/core/filter.c:2180 [inline]
 __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187
 ____bpf_clone_redirect net/core/filter.c:2460 [inline]
 bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425
 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058
 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269
 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678
 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
 __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765
 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a63a1f6a062033cf0f40
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-06-12 11:12:12 +02:00
..
6lowpan
9p
9p: Fix read/write debug statements to report server reply
2024-04-10 16:35:57 +02:00
802
8021q
net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb
2024-05-17 12:02:07 +02:00
appletalk
appletalk: Fix Use-After-Free in atalk_ioctl
2023-12-20 17:01:50 +01:00
atm
atm: Fix Use-After-Free in do_vcc_ioctl
2023-12-20 17:01:48 +01:00
ax25
ax25: Fix reference count leak issue of net_device
2024-06-12 11:11:54 +02:00
batman-adv
batman-adv: Avoid infinite loop trying to resize local TT
2024-04-17 11:19:25 +02:00
bluetooth
Bluetooth: HCI: Remove HCI_AMP support
2024-06-12 11:11:55 +02:00
bpf
bpf: Fix a few selftest failures due to llvm18 change
2024-02-05 20:14:20 +00:00
bpfilter
net: Use umd_cleanup_helper()
2023-05-31 13:06:57 +02:00
bridge
net: bridge: xmit: make sure we have at least eth header len bytes
2024-06-12 11:12:12 +02:00
caif
sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES)
2023-06-24 15:50:13 -07:00
can
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
2024-02-23 09:25:17 +01:00
ceph
libceph: fail sparse-read if the data length doesn't match
2024-03-01 13:34:56 +01:00
core
net: give more chances to rcu in netdev_wait_allrefs_any()
2024-06-12 11:11:47 +02:00
dcb
net: dcb: choose correct policy to parse DCB_ATTR_BCN
2023-08-01 21:07:46 -07:00
dccp
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
2023-11-20 11:59:35 +01:00
devlink
devlink: fix port new reply cmd type
2024-03-26 18:20:11 -04:00
dns_resolver
keys, dns: Fix size check of V1 server-list header
2024-01-25 15:35:41 -08:00
dsa
net: dsa: mark parsed interface mode for legacy switch drivers
2023-08-09 13:08:09 -07:00
ethernet
ethernet: Add helper for assigning packet type when dest address does not match device address
2024-05-02 16:32:46 +02:00
ethtool
ethtool: netlink: Add missing ethnl_ops_begin/complete
2024-01-25 15:36:00 -08:00
handshake
net/handshake: Fix handshake_req_destroy_test1
2024-02-23 09:24:50 +01:00
hsr
hsr: Simplify code for announcing HSR nodes timer setup
2024-05-17 12:02:24 +02:00
ieee802154
sysctl-6.6-rc1
2023-08-29 17:39:15 -07:00
ife
net: sched: ife: fix potential use-after-free
2024-01-01 12:42:30 +00:00
ipv4
tcp: avoid premature drops in tcp_add_backlog()
2024-06-12 11:11:46 +02:00
ipv6
ipv6: sr: fix invalid unregister error path
2024-06-12 11:11:53 +02:00
iucv
net/iucv: fix the allocation size of iucv_path_table array
2024-03-26 18:19:12 -04:00
kcm
net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function
2024-03-26 18:19:40 -04:00
key
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2023-08-18 12:44:56 -07:00
l2tp
net l2tp: drop flow hash on forward
2024-05-17 12:02:02 +02:00
l3mdev
lapb
llc
llc: call sock_orphan() at release time
2024-02-05 20:14:36 +00:00
mac80211
wifi: mac80211: ensure beacon is non-S1G prior to extracting the beacon timestamp field
2024-06-12 11:11:22 +02:00
mac802154
mac802154: fix llsec key resources release in mac802154_llsec_key_del
2024-04-03 15:28:27 +02:00
mctp
net: mctp: copy skb ext data when fragmenting
2024-03-26 18:19:34 -04:00
mpls
net: mpls: error out if inner headers are not set
2024-04-13 13:07:41 +02:00
mptcp
mptcp: SO_KEEPALIVE: fix getsockopt support
2024-06-12 11:11:54 +02:00
ncsi
net/ncsi: Fix netlink major/minor version numbers
2024-01-25 15:35:20 -08:00
netfilter
netfilter: nf_tables: honor table dormant flag from netdev release event path
2024-05-02 16:32:39 +02:00
netlabel
calipso: fix memory leak in netlbl_calipso_add_pass()
2024-01-25 15:35:14 -08:00
netlink
netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
2024-03-06 14:48:34 +00:00
netrom
netrom: Fix data-races around sysctl_net_busy_read
2024-03-15 10:48:21 -04:00
nfc
nfc: nci: Fix kcov check in nci_rx_work()
2024-05-17 12:02:22 +02:00
nsh
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
2024-05-17 12:02:02 +02:00
openvswitch
net: openvswitch: fix overwriting ct original tuple for ICMPv6
2024-06-12 11:11:52 +02:00
packet
packet: annotate data-races around ignore_outgoing
2024-03-26 18:20:10 -04:00
phonet
phonet: fix rtm_phonet_notify() skb allocation
2024-05-17 12:02:22 +02:00
psample
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
2023-12-13 18:45:10 +01:00
qrtr
net: qrtr: ns: Return 0 if server port is not present
2024-01-20 11:51:47 +01:00
rds
net/rds: fix possible cp null dereference
2024-04-10 16:35:49 +02:00
rfkill
net: rfkill: gpio: set GPIO direction
2024-01-01 12:42:41 +00:00
rose
net/rose: fix races in rose_kill_by_device()
2024-01-01 12:42:31 +00:00
rxrpc
rxrpc: Only transmit one ACK per jumbo packet received
2024-05-17 12:02:23 +02:00
sched
net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()
2024-04-10 16:35:51 +02:00
sctp
sctp: fix busy polling
2024-01-25 15:35:30 -08:00
smc
net/smc: fix neighbour and rtable leak in smc_ib_find_route()
2024-05-17 12:02:24 +02:00
strparser
sunrpc
SUNRPC: Fix gss_free_in_token_pages()
2024-06-12 11:12:11 +02:00
switchdev
net: bridge: switchdev: Skip MDB replays of deferred events on offload
2024-03-01 13:35:06 +01:00
tipc
tipc: fix UAF in error path
2024-05-17 12:02:32 +02:00
tls
tls: fix lockless read of strp->msg_ready in ->poll
2024-05-02 16:32:40 +02:00
unix
af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
2024-06-12 11:11:52 +02:00
vmw_vsock
vsock/virtio: fix packet delivery to tap device
2024-04-10 16:35:50 +02:00
wireless
wifi: nl80211: Avoid address calculations via out of bounds array indexing
2024-06-12 11:11:48 +02:00
x25
net/x25: fix incorrect parameter validation in the x25_getsockopt() function
2024-03-26 18:19:41 -04:00
xdp
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
2024-04-17 11:19:28 +02:00
xfrm
xfrm: Preserve vlan tags for transport mode software GRO
2024-05-17 12:02:20 +02:00
compat.c
devres.c
Kconfig
bpf: Add fd-based tcx multi-prog infra with link support
2023-07-19 10:07:27 -07:00
Kconfig.debug
Makefile
socket.c
net: Save and restore msg_namelen in sock_sendmsg
2024-01-10 17:16:51 +01:00
sysctl_net.c
sysctl: Add size to register_net_sysctl function
2023-08-15 15:26:17 -07:00