iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Tadeusz Struk ae8ec5eabb net: ipv6: fix skb_over_panic in __ip6_append_data 
commit 5e34af4142ffe68f01c8a9acae83300f8911e20c upstream.

Syzbot found a kernel bug in the ipv6 stack:
LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580
The reproducer triggers it by sending a crafted message via sendmmsg()
call, which triggers skb_over_panic, and crashes the kernel:

skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575
head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0
dev:<NULL>

Update the check that prevents an invalid packet with MTU equal
to the fregment header size to eat up all the space for payload.

The reproducer can be found here:
LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000

Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Acked-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20220310232538.1044947-1-tadeusz.struk@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-03-28 09:57:07 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
xen/9p: use alloc/free_pages_exact()
2022-03-11 12:11:54 +01:00
802
net/802/garp: fix memleak in garp_request_join()
2021-07-31 08:16:11 +02:00
8021q
net: vlan: fix underflow for the real_dev refcnt
2021-12-01 09:19:08 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net: atm: fix update of position index in lec_seq_next
2020-10-31 12:26:30 -07:00
ax25
ax25: Fix NULL pointer dereference in ax25_kill_by_device
2022-03-16 14:15:58 +01:00
batman-adv
batman-adv: Don't expect inter-netns unique iflink indices
2022-03-08 19:09:33 +01:00
bluetooth
Bluetooth: refactor malicious adv data check
2022-02-01 17:25:38 +01:00
bpf
bpf, test, cgroup: Use sk_{alloc,free} for test cases
2021-10-27 09:56:56 +02:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
net: bridge: vlan: fix memory leak in __allowed_ingress
2022-02-01 17:25:48 +01:00
caif
net-caif: avoid user-triggerable WARN_ON(1)
2021-09-22 12:27:56 +02:00
can
can: isotp: add SF_BROADCAST support for functional addressing
2022-02-23 12:00:56 +01:00
ceph
libceph: clear con->out_msg on Policy::stateful_server faults
2020-10-12 15:29:27 +02:00
core
net-sysfs: add check for netdevice being present to speed_show
2022-03-16 14:16:00 +01:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:09:37 +01:00
dccp
tcp: switch orphan_count to bare per-cpu counters
2021-11-18 14:04:08 +01:00
decnet
net: decnet: Fix sleeping inside in af_decnet
2021-07-28 14:35:38 +02:00
dns_resolver
dsa
net: dsa: Add missing of_node_put() in dsa_port_parse_of
2022-03-23 09:13:28 +01:00
ethernet
ethtool
ethtool: do not perform operations on net devices being unregistered
2021-12-17 10:14:41 +01:00
hsr
net: hsr: fix mac_len checks
2021-06-03 09:00:50 +02:00
ieee802154
net: ieee802154: Return meaningful error codes from the netlink helpers
2022-02-08 18:30:37 +01:00
ife
ipv4
esp: Fix possible buffer overflow in ESP transformation
2022-03-23 09:13:29 +01:00
ipv6
net: ipv6: fix skb_over_panic in __ip6_append_data
2022-03-28 09:57:07 +02:00
iucv
net/af_iucv: remove WARN_ONCE on malformed RX packets
2021-03-07 12:34:05 +01:00
kcm
key
xfrm: Check if_id in xfrm_migrate
2022-03-19 13:44:43 +01:00
l2tp
net/l2tp: Fix reference count leak in l2tp_udp_recv_core
2021-09-22 12:27:56 +02:00
l3mdev
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:29:14 +01:00
llc
net: llc: fix skb_over_panic
2021-08-04 12:46:43 +02:00
mac80211
mac80211: refuse aggregations sessions before authorized
2022-03-19 13:44:44 +01:00
mac802154
net: mac802154: Fix general protection fault
2021-04-14 08:42:13 +02:00
mpls
net: mpls: Fix notifications when deleting a device
2021-12-08 09:03:23 +01:00
mptcp
mptcp: clear 'kern' flag from fallback sockets
2021-12-22 09:30:54 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:40:32 +01:00
netfilter
netfilter: nf_queue: handle socket prefetch
2022-03-08 19:09:33 +01:00
netlabel
net: fix NULL pointer reference in cipso_v4_doi_free
2021-09-18 13:40:35 +02:00
netlink
net: netlink: af_netlink: Prevent empty skb by adding a check on len.
2021-12-17 10:14:40 +01:00
netrom
netrom: fix api breakage in nr_setsockopt()
2022-01-27 10:54:03 +01:00
nfc
nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
2022-01-27 10:53:41 +01:00
nsh
openvswitch
openvswitch: Fix setting ipv6 fields causing hw csum failure
2022-03-02 11:42:49 +01:00
packet
net/packet: fix slab-out-of-bounds access in packet_recvmsg()
2022-03-23 09:13:27 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
net: qrtr: fix another OOB Read in qrtr_endpoint_post
2021-09-03 10:09:21 +02:00
rds
rds: memory leak in __rds_conn_create()
2021-12-22 09:30:54 +01:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-12 09:18:06 +01:00
rose
rose: Fix Null pointer dereference in rose_send_frame()
2020-11-20 10:04:58 -08:00
rxrpc
rxrpc: Adjust retransmission backoff
2022-02-01 17:25:46 +01:00
sched
net/sched: act_ct: Fix flow table lookup after ct clear or switching zones
2022-03-02 11:42:50 +01:00
sctp
sctp: fix the processing for INIT chunk
2022-03-19 13:44:42 +01:00
smc
net/smc: fix unexpected SMC_CLC_DECL_ERR_REGRMB error cause by server
2022-03-08 19:09:33 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create
2022-02-23 12:01:06 +01:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:37:12 +01:00
tipc
tipc: fix incorrect order of state message data sanity check
2022-03-16 14:15:58 +01:00
tls
net/tls: Fix authentication failure in CCM mode
2021-12-08 09:03:29 +01:00
unix
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
2022-01-27 10:54:31 +01:00
vmw_vsock
vsock: each transport cycles only on its own sockets
2022-03-23 09:13:27 +01:00
wimax
genetlink: move to smaller ops wherever possible
2020-10-02 19:11:11 -07:00
wireless
nl80211: Update bss channel on channel switch for P2P_CLIENT
2022-03-19 13:44:45 +01:00
x25
net/x25: Return the correct errno code
2021-06-18 10:00:06 +02:00
xdp
Revert "xsk: Do not sleep in poll() when need_wakeup set"
2021-12-22 09:30:59 +01:00
xfrm
xfrm: Fix xfrm migrate issues when address family changes
2022-03-19 13:44:43 +01:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
drop_monitor: Convert to using devlink tracepoint
2020-09-30 18:01:26 -07:00
Makefile
socket.c
ethtool: improve compat ioctl handling
2021-09-18 13:40:21 +02:00
sysctl_net.c