iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Oleksij Rempel d2136f0569 can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access 
commit b45193cb4df556fe6251b285a5ce44046dd36b4a upstream.

In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access
could occur during the memcpy() operation if the size of skb->cb is
larger than the size of struct j1939_sk_buff_cb. This is because the
memcpy() operation uses the size of skb->cb, leading to a read beyond
the struct j1939_sk_buff_cb.

Updated the memcpy() operation to use the size of struct
j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the
memcpy() operation only reads the memory within the bounds of struct
j1939_sk_buff_cb, preventing out-of-bounds memory access.

Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb
is greater than or equal to the size of struct j1939_sk_buff_cb. This
ensures that the skb->cb buffer is large enough to hold the
j1939_sk_buff_cb structure.

Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Reported-by: Shuangpeng Bai <sjb7183@psu.edu>
Tested-by: Shuangpeng Bai <sjb7183@psu.edu>
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://groups.google.com/g/syzkaller/c/G_LL-C3plRs/m/-8xCi6dCAgAJ
Link: https://lore.kernel.org/all/20230404073128.3173900-1-o.rempel@pengutronix.de
Cc: stable@vger.kernel.org
[mkl: rephrase commit message]
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-04-20 12:07:34 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:47:31 +02:00
9p
9p/rdma: unmap receive dma buffer in rdma_request()/post_recv()
2023-03-11 16:44:12 +01:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-18 11:41:37 +01:00
8021q
net: vlan: fix underflow for the real_dev refcnt
2021-12-01 09:23:34 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 14:47:41 +02:00
atm
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
2023-04-20 12:07:32 +02:00
ax25
ax25: Fix UAF bugs in ax25 timers
2022-04-20 09:19:40 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 09:47:24 +02:00
bluetooth
Bluetooth: hci_sock: purge socket queues in the destruct() callback
2023-03-11 16:44:16 +01:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-18 11:41:04 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:53:33 +02:00
bridge
netfilter: br_netfilter: disable sabotage_in hook after first suppression
2023-02-22 12:50:24 +01:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:32:51 +01:00
can
can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
2023-04-20 12:07:34 +02:00
ceph
libceph: clear con->out_msg on Policy::stateful_server faults
2020-11-05 11:43:34 +01:00
core
net: don't let netpoll invoke NAPI if in xmit context
2023-04-20 12:07:33 +02:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:07:51 +01:00
dccp
dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
2023-02-22 12:50:40 +01:00
decnet
net: decnet: Fix sleeping inside in af_decnet
2021-07-28 13:30:56 +02:00
dns_resolver
KEYS: Don't write out to userspace while holding key semaphore
2020-04-23 10:36:45 +02:00
dsa
net: dsa: ksz: Check return value
2022-12-14 11:30:45 +01:00
ethernet
hsr
hsr: Avoid double remove of a node.
2023-01-18 11:41:09 +01:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:56:54 +09:00
ife
ipv4
icmp: guard against too small mtu
2023-04-20 12:07:33 +02:00
ipv6
ipv6: Fix an uninit variable access bug in __ip6_make_skb()
2023-04-20 12:07:33 +02:00
iucv
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
2023-04-20 12:07:32 +02:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-25 17:42:21 +01:00
key
af_key: Fix send_acquire race with pfkey_register
2022-12-08 11:22:57 +01:00
l2tp
l2tp: Don't sleep and disable BH under writer-side sk_callback_lock
2023-02-06 07:52:38 +01:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:50:47 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:25:28 +01:00
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 08:46:48 +02:00
mac80211
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
2023-04-20 12:07:33 +02:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:30:45 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:50:41 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:37:45 +01:00
netfilter
netfilter: nft_redir: correct value of inet type .maxattrs
2023-03-22 13:28:04 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-15 14:18:35 +02:00
netlink
netlink: annotate data races around sk_state
2023-02-06 07:52:45 +01:00
netrom
netrom: Fix use-after-free caused by accept on already connected socket
2023-02-22 12:50:24 +01:00
nfc
nfc: change order inside nfc_se_io error path
2023-03-17 08:32:48 +01:00
nsh
openvswitch
net: openvswitch: fix flow memory leak in ovs_flow_cmd_new
2023-02-22 12:50:25 +01:00
packet
net/af_packet: make sure to pull mac header
2023-01-18 11:41:45 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:23:33 +01:00
psample
qrtr
net: qrtr: fix another OOB Read in qrtr_endpoint_post
2021-09-03 10:08:12 +02:00
rds
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
2023-03-11 16:43:41 +01:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-24 13:29:05 +01:00
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:50:34 +01:00
rxrpc
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
2023-01-18 11:41:33 +01:00
sched
net: sched: fix race condition in qdisc_graft()
2023-04-05 11:16:46 +02:00
sctp
sctp: check send stream number after wait_for_sndbuf
2023-04-20 12:07:33 +02:00
smc
net/smc: fix fallback failed while sendmsg with fastopen
2023-03-17 08:32:51 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-17 09:48:48 +01:00
sunrpc
sunrpc: only free unix grouplist after RCU settles
2023-04-20 12:07:33 +02:00
switchdev
net: switchdev: do not propagate bridge updates across bridges
2021-10-27 09:54:24 +02:00
tipc
tipc: call tipc_lxc_xmit without holding node_read_lock
2023-01-18 11:42:06 +01:00
tls
net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
2023-04-05 11:16:36 +02:00
unix
af_unix: Get user_ns from in_skb in unix_diag_get_exact().
2022-12-14 11:30:44 +01:00
vmw_vsock
net: vmw_vsock: vmci: Check memcpy_from_msg()
2023-01-18 11:41:13 +01:00
wimax
wireless
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-13 10:18:25 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-22 12:50:26 +01:00
xdp
Revert "xsk: Do not sleep in poll() when need_wakeup set"
2021-12-22 09:29:40 +01:00
xfrm
xfrm: Allow transport-mode states with AF_UNSPEC selector
2023-03-22 13:28:03 +01:00
compat.c
net: Return the correct errno code
2021-06-18 09:59:00 +02:00
Kconfig
net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build
2020-04-01 11:02:18 +02:00
Makefile
socket.c
net: Fix a data-race around sysctl_somaxconn.
2022-09-05 10:27:42 +02:00
sysctl_net.c