iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/include/net
History
王贇 65492b05f4 net: prevent user from passing illegal stab size 
[ Upstream commit b193e15ac69d56f35e1d8e2b5d16cbd47764d053 ]

We observed below report when playing with netlink sock:

  UBSAN: shift-out-of-bounds in net/sched/sch_api.c:580:10
  shift exponent 249 is too large for 32-bit type
  CPU: 0 PID: 685 Comm: a.out Not tainted
  Call Trace:
   dump_stack_lvl+0x8d/0xcf
   ubsan_epilogue+0xa/0x4e
   __ubsan_handle_shift_out_of_bounds+0x161/0x182
   __qdisc_calculate_pkt_len+0xf0/0x190
   __dev_queue_xmit+0x2ed/0x15b0

it seems like kernel won't check the stab log value passing from
user, and will use the insane value later to calculate pkt_len.

This patch just add a check on the size/cell_log to avoid insane
calculation.

Reported-by: Abaci <abaci@linux.alibaba.com>
Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-17 10:19:49 +02:00
..
9p
9p: Add refcount to p9_req_t
2019-07-03 13:14:42 +02:00
bluetooth
Bluetooth: defer cleanup of resources in hci_unregister_dev()
2021-08-12 13:19:40 +02:00
caif
net: caif: add proper error handling
2021-06-10 13:24:06 +02:00
iucv
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
netfilter
netfilter: nf_log: missing vlan offload tag and proto
2020-10-29 09:55:15 +01:00
netns
net: xfrm: Localize sequence counter per network namespace
2021-04-14 08:22:34 +02:00
nfc
NFC: nci: fix memory leak in nci_allocate_device
2021-06-03 08:38:02 +02:00
phonet
phonet: fix building with clang
2019-03-23 20:09:51 +01:00
sctp
sctp: move 198 addresses from unusable to private scope
2021-07-31 08:22:38 +02:00
tc_act
net/sched: don't dereference a->goto_chain to read the chain index
2019-05-04 09:20:18 +02:00
6lowpan.h
act_api.h
net sched: fix reporting the first-time use timestamp
2020-06-03 08:19:15 +02:00
addrconf.h
ipv6: fix memory leaks on IPV6_ADDRFORM path
2020-08-11 15:32:34 +02:00
af_ieee802154.h
ieee802154: add rx LQI from userspace
2018-07-13 12:18:18 -04:00
af_rxrpc.h
rxrpc: Push iov_iter up from rxrpc_kernel_recv_data() to caller
2018-08-03 12:46:20 -07:00
af_unix.h
net: split out functions related to registering inflight socket files
2021-07-31 08:22:37 +02:00
af_vsock.h
vsock: split dwork to avoid reinitializations
2018-08-07 12:39:13 -07:00
ah.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
arp.h
ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
2019-06-11 12:20:57 +02:00
atmclip.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ax25.h
ax25: fix possible use-after-free
2019-02-23 09:07:27 +01:00
ax88796.h
net-next: ax88796: add interrupt status callback to platform data
2018-04-19 16:11:11 -04:00
bond_3ad.h
include/net/bond_3ad: Simplify the code by using the ARRAY_SIZE
2018-08-04 13:23:15 -07:00
bond_alb.h
bond_options.h
bonding: Prevent duplicate userspace notification
2017-05-27 18:51:41 -04:00
bonding.h
bonding: wait for sysfs kobject destruction before freeing struct slave
2020-12-08 10:18:53 +01:00
busy_poll.h
net: annotate data race around sk_ll_usec
2021-07-31 08:22:38 +02:00
calipso.h
net, calipso: convert calipso_doi.refcount from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
cfg80211-wext.h
cfg80211.h
mac80211: properly handle A-MSDUs that start with an RFC 1042 header
2021-06-03 08:38:03 +02:00
cfg802154.h
checksum.h
cipso_ipv4.h
net, ipv4: convert cipso_v4_doi.refcount from atomic_t to refcount_t
2017-07-04 01:29:04 -07:00
cls_cgroup.h
codel_impl.h
codel_qdisc.h
codel.h
compat.h
net: remove compat_sys_*() prototypes from net/compat.h
2018-04-02 20:16:17 +02:00
datalink.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dcbevent.h
dcbnl.h
net: dcb: Add priority-to-DSCP map getters
2018-07-27 13:17:50 -07:00
devlink.h
devlink: Add helper function for safely copy string param
2018-10-10 10:19:10 -07:00
dn_dev.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dn_fib.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dn_neigh.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dn_nsp.h
net/decnet: Convert timers to use timer_setup()
2017-10-18 12:39:36 +01:00
dn_route.h
decnet: Move dn_next into decnet route structure.
2017-11-30 09:54:25 -05:00
dn.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
dsa.h
net: dsa: read mac address from DT for slave device
2020-11-10 12:36:02 +01:00
dsfield.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dst_cache.h
net: core: dst_cache_set_ip6: Rename 'addr' parameter to 'saddr' for consistency
2018-03-05 12:52:45 -05:00
dst_metadata.h
net: validate lwtstate->data before returning from skb_tunnel_info()
2021-07-28 11:13:45 +02:00
dst_ops.h
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2020-01-04 19:13:37 +01:00
dst.h
net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb
2020-07-22 09:31:59 +02:00
erspan.h
erspan: set bso bit based on mirrored packet's len
2018-05-20 18:31:42 -04:00
esp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ethoc.h
inet: whitespace cleanup
2018-02-28 11:43:28 -05:00
failover.h
net: Introduce generic failover module
2018-05-28 22:59:54 -04:00
fib_notifier.h
net: Add extack to fib_notifier_info
2017-11-01 11:50:43 +09:00
fib_rules.h
fib: add missing attribute validation for tun_id
2020-03-18 07:14:14 +01:00
firewire.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
flow_dissector.h
net: sched: correct flower port blocking
2020-03-05 16:42:16 +01:00
flow.h
xfrm: Remove xfrmi interface ID from flowi
2018-07-20 10:14:41 +02:00
fou.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
fq_impl.h
net/fq_impl: Switch to kvmalloc() for memory allocation
2019-12-05 09:19:45 +01:00
fq.h
net/flow_dissector: switch to siphash
2019-11-10 11:27:54 +01:00
garp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
gen_stats.h
net: core: protect rate estimator statistics pointer with lock
2018-08-11 12:37:10 -07:00
genetlink.h
genetlink: remove genl_bind
2020-07-22 09:31:58 +02:00
geneve.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
gre.h
net: GRE: Add is_gretap_dev, is_ip6gretap_dev
2018-02-27 14:46:26 -05:00
gro_cells.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
gtp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
gue.h
fou: fix some member types in guehdr
2017-12-11 14:10:06 -05:00
hwbm.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
icmp.h
net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
2021-03-04 09:39:59 +01:00
ieee80211_radiotap.h
radiotap: add structs for HE
2018-06-15 14:04:00 +02:00
ieee802154_netdev.h
if_inet6.h
net/ipv6: Add support for specifying metric of connected routes
2018-05-29 10:12:45 -04:00
ife.h
net: sched: ife: handle malformed tlv length
2018-04-22 21:12:00 -04:00
ila.h
inet6_connection_sock.h
inet6_hashtables.h
net: ipv6: add second dif to inet6 socket lookups
2017-08-07 11:39:22 -07:00
inet_common.h
net: Convert GRO SKB handling to list_head.
2018-06-26 11:33:04 +09:00
inet_connection_sock.h
tcp: relookup sock for RST+ACK packets handled by obsolete req sock
2021-04-07 12:48:47 +02:00
inet_ecn.h
sched: consistently handle layer3 header accesses in the presence of VLANs
2020-07-22 09:32:00 +02:00
inet_frag.h
net: IP defrag: encapsulate rbtree defrag code into callable functions
2019-04-27 09:36:33 +02:00
inet_hashtables.h
tcp/dccp: fix possible race __inet_lookup_established()
2020-01-04 19:13:41 +01:00
inet_sock.h
inet: make sure to grab rcu_read_lock before using ireq->ireq_opt
2018-10-02 15:52:12 -07:00
inet_timewait_sock.h
net-tcp: remove useless tw_timeout field
2018-06-05 10:45:24 -04:00
inetpeer.h
net: ipv4: use a dedicated counter for icmp_v4 redirect packets
2019-02-23 09:07:24 +01:00
ip6_checksum.h
ip6_fib.h
ipv6: fix the check before getting the cookie in rt6_get_cookie
2019-06-11 12:20:48 +02:00
ip6_route.h
net: ipv6: fix returned variable type in ip6_skb_dst_mtu
2021-08-12 13:19:39 +02:00
ip6_tunnel.h
ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL
2019-07-14 08:11:14 +02:00
ip_fib.h
net: ipv4: Fix memory leak in network namespace dismantle
2019-01-31 08:14:32 +01:00
ip_tunnels.h
ip_tunnels: Set tunnel option flag when tunnel metadata is present
2020-11-24 13:27:21 +01:00
ip_vs.h
ipvs: allow connection reuse for unconfirmed conntrack
2020-08-19 08:14:56 +02:00
ip.h
net: lwtunnel: handle MTU calculation in forwading
2021-07-20 16:15:52 +02:00
ipcomp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ipconfig.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ipv6_frag.h
ip6: fix skb leak in ip6frag_expire_frag_queue()
2019-07-10 09:53:46 +02:00
ipv6.h
net: ipv6: add net argument to ip6_dst_lookup_flow
2020-04-29 16:31:16 +02:00
ipx.h
bonding/alb: properly access headers in bond_alb_xmit()
2020-02-11 04:34:14 -08:00
iw_handler.h
net: Spelling s/stucture/structure/
2018-03-27 09:51:23 +02:00
kcm.h
l3mdev.h
ipvlan, l3mdev: fix broken l3s mode wrt local routes
2019-02-06 17:30:06 +01:00
lag.h
net: Add lag.h, net_lag_port_dev_txable()
2018-07-11 23:10:19 -07:00
lapb.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
lib80211.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
llc_c_ac.h
net: LLC: Convert timers to use timer_setup()
2017-10-25 12:06:25 +09:00
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc: fix sk_buff leak in llc_conn_service()
2019-11-06 13:06:23 +01:00
llc_if.h
llc_pdu.h
net: llc: fix skb_over_panic
2021-08-04 12:23:46 +02:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
llc: avoid blocking in llc_sap_close()
2019-11-20 18:46:35 +01:00
lwtunnel.h
net: Move ipv4 set_lwt_redirect helper to lwtunnel
2018-02-14 14:43:32 -05:00
mac80211.h
mac80211: add support for HE
2018-06-18 22:40:32 +02:00
mac802154.h
mip6.h
mld.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mpls_iptunnel.h
mpls.h
mrp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ncsi.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ndisc.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
neighbour.h
net: add annotations on hh->hh_len lockless accesses
2020-01-09 10:19:09 +01:00
net_failover.h
net: Introduce net_failover driver
2018-05-28 22:59:54 -04:00
net_namespace.h
net: make get_net_ns return error if NET_NS is disabled
2021-06-30 08:48:18 -04:00
net_ratelimit.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
netevent.h
net: ipv4: Notify about changes to ip_forward_update_priority
2018-08-01 09:52:30 -07:00
netlabel.h
net: convert netlbl_lsm_cache.refcount from atomic_t to refcount_t
2017-07-01 07:39:09 -07:00
netlink.h
netlink: fix typo in nla_parse_nested() comment
2018-09-29 11:48:26 -07:00
netprio_cgroup.h
netrom.h
net: netrom: Fix error cleanup path of nr_proto_init
2019-05-02 09:58:57 +02:00
nexthop.h
net: fix rtnh_ok()
2018-04-07 22:32:31 -04:00
nl802154.h
nsh.h
openvswitch: enable NSH support
2017-11-08 16:12:33 +09:00
p8022.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
page_pool.h
xdp: introduce xdp_return_frame_rx_napi
2018-05-24 18:36:15 -07:00
ping.h
ipv{4,6}/ping: simplify proc file creation
2018-05-16 07:23:35 +02:00
pkt_cls.h
net_sched: fix ops->bind_class() implementations
2020-02-01 09:37:06 +00:00
pkt_sched.h
net: prevent user from passing illegal stab size
2021-10-17 10:19:49 +02:00
pptp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
protocol.h
IPv4: early demux can return an error code
2017-10-01 03:55:47 +01:00
psample.h
psample: Add a fwd declaration for skbuff
2021-08-26 08:36:38 -04:00
psnap.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
raw.h
ipv{4,6}/raw: simplify ѕeq_file code
2018-05-16 07:23:35 +02:00
rawv6.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
red.h
sch_red: fix off-by-one checks in red_check_params()
2021-04-14 08:22:34 +02:00
regulatory.h
cfg80211: make wmm_rule part of the reg_rule structure
2018-08-28 11:11:47 +02:00
request_sock.h
net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head
2020-01-27 14:51:18 +01:00
rose.h
proc: introduce proc_create_seq{,_data}
2018-05-16 07:23:35 +02:00
route.h
net/ipv4: Add support for specifying metric of connected routes
2018-05-29 10:12:45 -04:00
rsi_91x.h
Bluetooth: btrsi: add new rsi bluetooth driver
2018-03-13 18:37:02 +02:00
rtnetlink.h
can: dev: Move device back to init netns on owning netns delete
2021-03-30 14:37:03 +02:00
sch_generic.h
net_sched: fix ops->bind_class() implementations
2020-02-01 09:37:06 +00:00
scm.h
pids: Compute task_tgid using signal->leader_pid
2018-07-21 10:43:12 -05:00
secure_seq.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
seg6_hmac.h
rhashtable: split rhashtable.h
2018-06-22 13:43:27 +09:00
seg6_local.h
bpf: add End.DT6 action to bpf_lwt_seg6_action helper
2018-07-31 09:22:48 +02:00
seg6.h
rhashtable: split rhashtable.h
2018-06-22 13:43:27 +09:00
slhc_vj.h
slip: Check if rstate is initialized before uncompressing
2018-04-11 10:33:46 -04:00
smc.h
net/smc: add pnetid support for SMC-D and ISM
2018-06-30 20:42:25 +09:00
snmp.h
sock_reuseport.h
udp: correct reuseport selection with connected sockets
2019-09-21 07:16:43 +02:00
sock.h
af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
2021-10-06 15:31:24 +02:00
Space.h
net/mac89x0: Convert to platform_driver
2018-03-01 21:21:36 -05:00
stp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
strparser.h
strparser: Add __strp_unpause and use it in ktls.
2018-06-06 14:07:53 -04:00
switchdev.h
switchdev: Add fdb.added_by_user to switchdev notifications
2018-05-03 13:46:47 -04:00
tcp_states.h
tcp: remove the hardcode in the definition of TCPF Macro
2018-02-21 15:06:05 -05:00
tcp.h
tcp: annotate tp->write_seq lockless reads
2021-03-17 16:43:43 +01:00
timewait_sock.h
tipc.h
flow_dissector: do not rely on implicit casts
2018-05-08 00:02:41 -04:00
tls.h
net/tls: Protect from calling tls_dev_del for TLS RX twice
2020-12-08 10:18:52 +01:00
transp_v6.h
ipv6: fold sockcm_cookie into ipcm6_cookie
2018-07-07 10:58:49 +09:00
tso.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
tun_proto.h
vxlan: factor out VXLAN-GPE next protocol
2017-08-29 15:16:52 -07:00
udp_tunnel.h
net: Convert GRO SKB handling to list_head.
2018-06-26 11:33:04 +09:00
udp.h
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
2018-07-03 10:29:26 +09:00
udplite.h
udplite: fix partial checksum initialization
2018-02-16 15:57:42 -05:00
vsock_addr.h
vxlan.h
vxlan: add ttl inherit support
2018-04-17 13:53:13 -04:00
wext.h
lift handling of SIOCIW... out of dev_ioctl()
2018-01-24 19:13:45 -05:00
wimax.h
x25.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
x25device.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
xdp_sock.h
xsk: fix umem memory leak on cleanup
2019-05-04 09:20:12 +02:00
xdp.h
xdp: Helper function to clear kernel pointers in xdp_frame
2018-08-10 16:12:20 +02:00
xfrm.h
xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate
2020-10-14 10:31:24 +02:00