iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Miaohe Lin b89d3ce010 net: sit: fix UBSAN Undefined behaviour in check_6rd 
[ Upstream commit a843dc4ebaecd15fca1f4d35a97210f72ea1473b ]

In func check_6rd,tunnel->ip6rd.relay_prefixlen may equal to
32,so UBSAN complain about it.

UBSAN: Undefined behaviour in net/ipv6/sit.c:781:47
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 6 PID: 20036 Comm: syz-executor.0 Not tainted 4.19.27 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
ubsan_epilogue+0xe/0x81 lib/ubsan.c:159
__ubsan_handle_shift_out_of_bounds+0x293/0x2e8 lib/ubsan.c:425
check_6rd.constprop.9+0x433/0x4e0 net/ipv6/sit.c:781
try_6rd net/ipv6/sit.c:806 [inline]
ipip6_tunnel_xmit net/ipv6/sit.c:866 [inline]
sit_tunnel_xmit+0x141c/0x2720 net/ipv6/sit.c:1033
__netdev_start_xmit include/linux/netdevice.h:4300 [inline]
netdev_start_xmit include/linux/netdevice.h:4309 [inline]
xmit_one net/core/dev.c:3243 [inline]
dev_hard_start_xmit+0x17c/0x780 net/core/dev.c:3259
__dev_queue_xmit+0x1656/0x2500 net/core/dev.c:3829
neigh_output include/net/neighbour.h:501 [inline]
ip6_finish_output2+0xa36/0x2290 net/ipv6/ip6_output.c:120
ip6_finish_output+0x3e7/0xa20 net/ipv6/ip6_output.c:154
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip6_output+0x1e2/0x720 net/ipv6/ip6_output.c:171
dst_output include/net/dst.h:444 [inline]
ip6_local_out+0x99/0x170 net/ipv6/output_core.c:176
ip6_send_skb+0x9d/0x2f0 net/ipv6/ip6_output.c:1697
ip6_push_pending_frames+0xc0/0x100 net/ipv6/ip6_output.c:1717
rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
rawv6_sendmsg+0x2435/0x3530 net/ipv6/raw.c:946
inet_sendmsg+0xf8/0x5c0 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg+0xc8/0x110 net/socket.c:631
___sys_sendmsg+0x6cf/0x890 net/socket.c:2114
__sys_sendmsg+0xf0/0x1b0 net/socket.c:2152
do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Signed-off-by: linmiaohe <linmiaohe@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-19 13:14:08 +01:00
..
6lowpan
6lowpan: iphc: reset mac_header after decompress to fix panic
2018-10-03 17:01:42 -07:00
9p
9p/net: put a lower bound on msize
2019-01-13 10:03:52 +01:00
802
8021q
vlan: also check phy_driver ts_info for vlan's real device
2018-04-13 19:48:34 +02:00
appletalk
appletalk: use IS_ENABLED() instead of checking for built-in or module
2016-09-10 21:19:10 -07:00
atm
net: atm: Fix potential Spectre v1
2018-05-16 10:08:44 +02:00
ax25
ax25: fix possible use-after-free
2019-02-23 09:05:59 +01:00
batman-adv
batman-adv: fix uninit-value in batadv_interface_tx()
2019-02-27 10:07:00 +01:00
bluetooth
Bluetooth: Fix unnecessary error message for HCI request completion
2019-02-12 19:44:56 +01:00
bridge
Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
2019-02-27 10:07:03 +01:00
caif
net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
2018-09-05 09:20:00 +02:00
can
can: bcm: check timer values before ktime conversion
2019-01-31 08:12:36 +01:00
ceph
libceph: handle an empty authorize reply
2019-02-27 10:06:57 +01:00
core
net-sysfs: Fix mem leak in netdev_register_kobject
2019-03-13 14:04:52 -07:00
dcb
net: dcb: For wild-card lookups, use priority -1, not 0
2018-09-19 22:47:15 +02:00
dccp
dccp: fool proof ccid_hc_[rt]x_parse_options()
2019-02-12 19:44:59 +01:00
decnet
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
2018-02-25 11:05:44 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:27:39 +02:00
dsa
net: dsa: slave: Don't propagate flag changes on down slave interfaces
2019-02-12 19:45:00 +01:00
ethernet
net: introduce device min_header_len
2017-02-18 15:11:43 +01:00
hsr
net/hsr: fix possible crash in add_timer()
2019-03-19 13:14:08 +01:00
ieee802154
ieee802154: lowpan_header_create check must check daddr
2019-01-09 16:16:40 +01:00
ipv4
vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel
2019-03-13 14:04:55 -07:00
ipv6
net: sit: fix UBSAN Undefined behaviour in check_6rd
2019-03-19 13:14:08 +01:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 15:44:41 +02:00
irda
irda: Only insert new objects into the global database via setsockopt
2018-09-15 09:43:01 +02:00
iucv
net/iucv: Free memory obtained by kzalloc
2018-03-31 18:11:34 +02:00
kcm
kcm: Fix use-after-free caused by clonned sockets
2018-06-13 16:16:42 +02:00
key
af_key: Always verify length of provided sadb_key
2018-06-16 09:52:32 +02:00
l2tp
l2tp: fix infoleak in l2tp_ip6_recvmsg()
2019-03-19 13:14:08 +01:00
l3mdev
net: ipv6: Remove l3mdev_get_saddr6
2016-09-10 23:12:53 -07:00
lapb
llc
llc: do not use sk_eat_skb()
2018-12-01 09:44:19 +01:00
mac80211
mac80211: Add attribute aligned(2) to struct 'action'
2019-03-05 17:57:06 +01:00
mac802154
net: mac802154: tx: expand tailroom if necessary
2018-09-09 20:01:19 +02:00
mpls
mpls, nospec: Sanitize array index in mpls_label_ok()
2018-03-11 16:21:34 +01:00
ncsi
net/ncsi: Improve HNCDSC AEN handler
2016-10-20 11:23:08 -04:00
netfilter
netfilter: nf_nat: skip nat clash resolution for same-origin entries
2019-03-13 14:05:00 -07:00
netlabel
netlabel: fix out-of-bounds memory accesses
2019-03-13 14:04:53 -07:00
netlink
netlink: Don't shift on 64 for ngroups
2018-08-09 12:17:59 +02:00
netrom
netrom: switch to sock timer API
2019-02-06 17:33:27 +01:00
nfc
net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
2019-03-13 14:04:53 -07:00
openvswitch
openvswitch: Avoid OOB read when parsing flow nlattrs
2019-01-31 08:12:33 +01:00
packet
net/packet: fix 4gb buffer limit due to overflow check
2019-02-27 10:07:00 +01:00
phonet
qrtr
net: qrtr: Broadcast messages only from control port
2018-08-24 13:12:36 +02:00
rds
rds: fix refcount bug in rds_sock_addref
2019-02-12 19:45:00 +01:00
rfkill
rfkill: gpio: fix memory leak in probe error path
2018-05-16 10:08:43 +02:00
rose
net/rose: fix NULL ax25_cb kernel panic
2019-02-06 17:33:27 +01:00
rxrpc
rxrpc: bad unlock balance in rxrpc_recvmsg
2019-02-12 19:44:59 +01:00
sched
net: netem: fix skb length BUG_ON in __skb_to_sgvec
2019-03-13 14:04:53 -07:00
sctp
sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment
2019-02-27 10:07:01 +01:00
strparser
strparser: Fix incorrect strp->need_bytes value.
2018-04-29 11:32:02 +02:00
sunrpc
sunrpc: handle ENOMEM in rpcb_getport_async
2019-01-23 08:10:55 +01:00
switchdev
switchdev: Execute bridge ndos only for bridge ports
2016-10-19 10:58:04 -04:00
tipc
tipc: fix uninit-value in tipc_nl_compat_doit
2019-01-23 08:10:56 +01:00
unix
net/unix: don't show information about sockets from other namespaces
2017-11-18 11:22:22 +01:00
vmw_vsock
vsock/virtio: reset connected sockets on device removal
2019-03-13 14:05:00 -07:00
wimax
wireless
cfg80211: extend range deviation for DMG
2019-03-05 17:57:06 +01:00
x25
net/x25: do not hold the cpu too long in x25_new_lci()
2019-02-23 09:05:59 +01:00
xfrm
xfrm: refine validation of template and selector families
2019-02-15 08:07:39 +01:00
compat.c
sock: Make sock->sk_stamp thread-safe
2019-01-09 16:16:41 +01:00
Kconfig
strparser: Stream parser for messages
2016-08-17 19:36:23 -04:00
Makefile
strparser: Stream parser for messages
2016-08-17 19:36:23 -04:00
socket.c
net: socket: fix a missing-check bug
2018-11-10 07:42:58 -08:00
sysctl_net.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2016-10-06 09:52:23 -07:00