iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
981,184 Commits 104 Branches 1,843 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Eric Dumazet 70b7b3c055 net/packet: fix slab-out-of-bounds access in packet_recvmsg() 
[ Upstream commit c700525fcc06b05adfea78039de02628af79e07a ]

syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH
and mmap operations, tpacket_rcv() is queueing skbs with
garbage in skb->cb[], triggering a too big copy [1]

Presumably, users of af_packet using mmap() already gets correct
metadata from the mapped buffer, we can simply make sure
to clear 12 bytes that might be copied to user space later.

BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631

CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x39/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:225 [inline]
 packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
 sock_recvmsg_nosec net/socket.c:948 [inline]
 sock_recvmsg net/socket.c:966 [inline]
 sock_recvmsg net/socket.c:962 [inline]
 ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632
 ___sys_recvmsg+0x127/0x200 net/socket.c:2674
 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fdfd5954c29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54
 </TASK>

addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:
 ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246

this frame has 1 object:
 [32, 160) 'addr'

Memory state around the buggy address:
 ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
 ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
                                                                ^
 ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1
 ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
==================================================================

Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-03-23 09:13:27 +01:00
arch
arm64: kvm: Fix copy-and-paste error in bhb templates for v5.10 stable
2022-03-19 13:44:46 +01:00
block
block/wbt: fix negative inflight counter when remove scsi device
2022-02-23 12:01:04 +01:00
certs
certs: Trigger creation of RSA module signing key if it's not an RSA key
2021-09-15 09:50:29 +02:00
crypto
crypto: api - Move cryptomgr soft dependency into algapi
2022-02-11 09:09:03 +01:00
Documentation
arm64: cpufeature: add HWCAP for FEAT_RPRES
2022-03-11 12:11:51 +01:00
drivers
net: phy: marvell: Fix invalid comparison in the resume and suspend functions
2022-03-23 09:13:27 +01:00
fs
ocfs2: fix crash when initialize filecheck kobj fails
2022-03-23 09:13:27 +01:00
include
vsock: each transport cycles only on its own sockets
2022-03-23 09:13:27 +01:00
init
bpf: Add kconfig knob for disabling unpriv bpf by default
2022-01-05 12:40:34 +01:00
ipc
shm: extend forced shm destroy to support objects from several IPC nses
2021-12-01 09:19:10 +01:00
kernel
watch_queue: Fix filter limit check
2022-03-16 14:16:03 +01:00
lib
ARM: 9178/1: fix unmet dependency on BITREVERSE for HAVE_ARCH_BITREVERSE
2022-03-19 13:44:44 +01:00
LICENSES
LICENSES/deprecated: add Zlib license text
2020-09-16 14:33:49 +02:00
mm
mm: swap: get rid of livelock in swapin readahead
2022-03-23 09:13:27 +01:00
net
net/packet: fix slab-out-of-bounds access in packet_recvmsg()
2022-03-23 09:13:27 +01:00
samples
ftrace/samples: Add missing prototypes direct functions
2022-01-11 15:25:00 +01:00
scripts
kconfig: fix failing to generate auto.conf
2022-02-23 12:01:07 +01:00
security
ima: Do not print policy rule with inactive LSM labels
2022-02-16 12:54:16 +01:00
sound
ASoC: cs4265: Fix the duplicated control name
2022-03-08 19:09:35 +01:00
tools
kselftest/vm: fix tests build with old libc
2022-03-19 13:44:46 +01:00
usr
usr/include/Makefile: add linux/nfc.h to the compile-test coverage
2022-02-01 17:25:48 +01:00
virt
KVM: eventfd: Fix false positive RCU usage warning
2022-02-16 12:54:20 +01:00
.clang-format
RDMA 5.10 pull request
2020-10-17 11:18:18 -07:00
.cocciconfig
.get_maintainer.ignore
Opt out of scripts/get_maintainer.pl
2019-05-16 10:53:40 -07:00
.gitattributes
.gitattributes: use 'dts' diff driver for dts files
2019-12-04 19:44:11 -08:00
.gitignore
kbuild: generate Module.symvers only when vmlinux exists
2021-05-19 10:12:59 +02:00
.mailmap
mailmap: add two more addresses of Uwe Kleine-König
2020-12-06 10:19:07 -08:00
COPYING
COPYING: state that all contributions really are covered by this file
2020-02-10 13:32:20 -08:00
CREDITS
MAINTAINERS: Move Jason Cooper to CREDITS
2020-11-30 10:20:34 +01:00
Kbuild
kbuild: rename hostprogs-y/always to hostprogs/always-y
2020-02-04 01:53:07 +09:00
Kconfig
kbuild: ensure full rebuild when the compiler is updated
2020-05-12 13:28:33 +09:00
MAINTAINERS
MAINTAINERS: adjust GCC PLUGINS after gcc-plugin.sh removal
2021-12-14 11:32:46 +01:00
Makefile
Linux 5.10.107
2022-03-19 13:44:47 +01:00
README
Drop all 00-INDEX files from Documentation/
2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.
Description
No description provided
Readme 5.7 GiB
Languages
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%