iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/include/net
History
王贇 2aaf3fd5e1 net: prevent user from passing illegal stab size 
[ Upstream commit b193e15ac69d56f35e1d8e2b5d16cbd47764d053 ]

We observed below report when playing with netlink sock:

  UBSAN: shift-out-of-bounds in net/sched/sch_api.c:580:10
  shift exponent 249 is too large for 32-bit type
  CPU: 0 PID: 685 Comm: a.out Not tainted
  Call Trace:
   dump_stack_lvl+0x8d/0xcf
   ubsan_epilogue+0xa/0x4e
   __ubsan_handle_shift_out_of_bounds+0x161/0x182
   __qdisc_calculate_pkt_len+0xf0/0x190
   __dev_queue_xmit+0x2ed/0x15b0

it seems like kernel won't check the stab log value passing from
user, and will use the insane value later to calculate pkt_len.

This patch just add a check on the size/cell_log to avoid insane
calculation.

Reported-by: Abaci <abaci@linux.alibaba.com>
Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-17 10:42:34 +02:00
..
9p
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 188
2019-05-30 11:29:21 -07:00
bluetooth
Bluetooth: defer cleanup of resources in hci_unregister_dev()
2021-08-12 13:20:58 +02:00
caif
net: caif: add proper error handling
2021-06-10 13:37:09 +02:00
iucv
net/af_iucv: locate IUCV header via skb_network_header()
2018-09-26 09:56:07 -07:00
netfilter
netfilter: nft_dynset: fix timeouts later than 23 days
2020-12-30 11:50:54 +01:00
netns
net: xfrm: Localize sequence counter per network namespace
2021-04-14 08:24:13 +02:00
nfc
NFC: nci: fix memory leak in nci_allocate_device
2021-05-28 13:10:27 +02:00
phonet
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336
2019-06-05 17:37:07 +02:00
sctp
sctp: move 198 addresses from unusable to private scope
2021-07-31 08:19:38 +02:00
tc_act
net/sched: act_vlan: Fix modify to allow 0
2021-07-14 16:53:27 +02:00
6lowpan.h
act_api.h
net: sched: fix police ext initialization
2021-03-04 10:26:53 +01:00
addrconf.h
net: bridge: mcast: fix broken length + header check for MRDv6 Adv.
2021-05-14 09:44:32 +02:00
af_ieee802154.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174
2019-05-30 11:26:41 -07:00
af_rxrpc.h
rxrpc: Make rxrpc_kernel_get_srtt() indicate validity
2020-09-09 19:12:23 +02:00
af_unix.h
net: split out functions related to registering inflight socket files
2019-02-28 08:24:23 -07:00
af_vsock.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 321
2019-06-05 17:37:05 +02:00
ah.h
arp.h
net: avoid potential false sharing in neighbor related code
2019-12-31 16:45:03 +01:00
atmclip.h
ax25.h
ax25: fix possible use-after-free
2019-01-23 11:18:00 -08:00
ax88796.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
bond_3ad.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 90
2019-05-24 17:37:53 +02:00
bond_alb.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 5
2019-05-21 11:28:40 +02:00
bond_options.h
bonding: add an option to specify a delay between peer notifications
2019-07-04 12:30:48 -07:00
bonding.h
bonding: wait for sysfs kobject destruction before freeing struct slave
2020-12-08 10:40:24 +01:00
bpf_sk_storage.h
bpf: support cloning sk storage on accept()
2019-08-17 23:18:54 +02:00
busy_poll.h
net: annotate data race around sk_ll_usec
2021-07-31 08:19:38 +02:00
calipso.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13
2019-05-21 11:28:45 +02:00
cfg80211-wext.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
cfg80211.h
mac80211: properly handle A-MSDUs that start with an RFC 1042 header
2021-06-03 08:59:01 +02:00
cfg802154.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174
2019-05-30 11:26:41 -07:00
checksum.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
cipso_ipv4.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13
2019-05-21 11:28:45 +02:00
cls_cgroup.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
codel_impl.h
codel_qdisc.h
codel.h
compat.h
net: rework SIOCGSTAMP ioctl handling
2019-04-19 14:07:40 -07:00
datalink.h
dcbevent.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201
2019-05-30 11:29:52 -07:00
dcbnl.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201
2019-05-30 11:29:52 -07:00
devlink.h
devlink: disallow reload operation during device cleanup
2019-11-09 19:38:36 -08:00
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 24
2019-05-21 11:52:39 +02:00
dn_route.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 24
2019-05-21 11:52:39 +02:00
dn.h
drop_monitor.h
net: drop_monitor: use IS_REACHABLE() to guard net_dm_hw_report()
2020-05-27 17:46:24 +02:00
dsa.h
net: dsa: Pass ndo_setup_tc slave callback to drivers
2019-09-16 21:32:57 +02:00
dsfield.h
dst_cache.h
dst_metadata.h
net: validate lwtstate->data before returning from skb_tunnel_info()
2021-07-25 14:35:15 +02:00
dst_ops.h
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2020-01-04 19:18:58 +01:00
dst.h
net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb
2020-07-22 09:32:47 +02:00
erspan.h
esp.h
ethoc.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
failover.h
fib_notifier.h
net: fib: drop include of module.h from fib_notifier.h
2019-04-22 21:50:53 -07:00
fib_rules.h
fib: add missing attribute validation for tun_id
2020-03-18 07:17:44 +01:00
firewire.h
flow_dissector.h
net: sched: correct flower port blocking
2020-03-05 16:43:32 +01:00
flow_offload.h
net: core: rename indirect block ingress cb function
2019-12-18 16:08:47 +01:00
flow.h
ipv4: Initialize flowi4_multipath_hash in data path
2020-09-26 18:03:12 +02:00
fou.h
fq_impl.h
net/fq_impl: Switch to kvmalloc() for memory allocation
2019-11-08 09:11:49 +01:00
fq.h
net/flow_dissector: switch to siphash
2019-10-23 20:13:22 -07:00
garp.h
gen_stats.h
net: align gnet_stats_basic_cpu struct
2018-11-17 21:37:29 -08:00
genetlink.h
genetlink: remove genl_bind
2020-07-22 09:32:46 +02:00
geneve.h
net: Move the definition of the default Geneve udp port to public header file
2019-03-22 12:09:31 -07:00
gre.h
net: Add netif_is_gretap()/netif_is_ip6gretap()
2018-12-10 15:53:04 -08:00
gro_cells.h
gtp.h
gue.h
net:gue.h:Fix shifting signed 32-bit value by 31 bits problem
2019-07-01 10:58:23 -07:00
hwbm.h
net: hwbm: if CONFIG_NET_HWBM unset, make stub functions static
2019-10-25 16:24:32 -07:00
icmp.h
net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
2021-03-04 10:26:53 +01:00
ieee80211_radiotap.h
wireless-drivers-next patches for 5.1
2019-02-22 12:56:24 -08:00
ieee802154_netdev.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174
2019-05-30 11:26:41 -07:00
if_inet6.h
ipv6: shrink struct ipv6_mc_socklist
2019-08-28 14:43:03 -07:00
ife.h
net: ife: drop include of module.h from net/ife.h
2019-04-22 21:50:53 -07:00
ila.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
inet6_connection_sock.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
inet6_hashtables.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
inet_common.h
inet: factor out inet_send_prepare()
2019-07-03 13:51:54 -07:00
inet_connection_sock.h
tcp: relookup sock for RST+ACK packets handled by obsolete req sock
2021-03-30 14:35:26 +02:00
inet_ecn.h
inet_ecn: Fix endianness of checksum update when setting ECT(1)
2020-12-08 10:40:25 +01:00
inet_frag.h
inet: frags: re-introduce skb coalescing for local delivery
2019-08-08 15:55:10 -07:00
inet_hashtables.h
dccp: Fix possible memleak in dccp_init and dccp_fini
2020-06-17 16:40:32 +02:00
inet_sock.h
ip: support SO_MARK cmsg
2019-09-13 21:44:19 +02:00
inet_timewait_sock.h
tcp: honor SO_PRIORITY in TIME_WAIT state
2019-09-27 12:05:02 +02:00
inetpeer.h
net: ipv4: use a dedicated counter for icmp_v4 redirect packets
2019-02-08 21:50:15 -08:00
ip6_checksum.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
ip6_fib.h
ipv6: Use global sernum for dst validation with nexthop objects
2020-05-14 07:58:20 +02:00
ip6_route.h
net: ipv6: fix returned variable type in ip6_skb_dst_mtu
2021-08-12 13:20:57 +02:00
ip6_tunnel.h
ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL
2019-06-18 20:48:45 -04:00
ip_fib.h
net: ipv4: Fix rtnexthop len when RTA_FLOW is present
2021-10-06 15:42:33 +02:00
ip_tunnels.h
ip_tunnels: Set tunnel option flag when tunnel metadata is present
2020-11-24 13:29:05 +01:00
ip_vs.h
ipvs: allow connection reuse for unconfirmed conntrack
2020-08-19 08:16:10 +02:00
ip.h
net: lwtunnel: handle MTU calculation in forwading
2021-07-14 16:53:35 +02:00
ipcomp.h
ipconfig.h
ipv6_frag.h
inet: fix various use-after-free in defrags units
2019-06-19 11:37:47 -04:00
ipv6_stubs.h
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2019-12-18 16:08:42 +01:00
ipv6.h
net: ipv6: add net argument to ip6_dst_lookup_flow
2019-12-18 16:08:40 +01:00
ipx.h
bonding/alb: properly access headers in bond_alb_xmit()
2020-02-11 04:35:48 -08:00
iw_handler.h
kcm.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
l3mdev.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
lag.h
net: Add lag.h, net_lag_port_dev_txable()
2018-07-11 23:10:19 -07:00
lapb.h
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc: fix sk_buff leak in llc_conn_service()
2019-10-08 13:23:05 -07:00
llc_if.h
llc_pdu.h
net: llc: fix skb_over_panic
2021-08-04 12:27:39 +02:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
llc: avoid blocking in llc_sap_close()
2018-09-13 09:04:58 -07:00
lwtunnel.h
lwtunnel: Pass encap and encap type attributes to lwtunnel_fill_encap
2019-04-23 19:42:29 -07:00
mac80211.h
mac80211: populate debugfs only after cfg80211 init
2020-04-29 16:33:18 +02:00
mac802154.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174
2019-05-30 11:26:41 -07:00
mip6.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13
2019-05-21 11:28:45 +02:00
mld.h
mpls_iptunnel.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 295
2019-06-05 17:36:38 +02:00
mpls.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 295
2019-06-05 17:36:38 +02:00
mrp.h
ncsi.h
ndisc.h
net: avoid potential false sharing in neighbor related code
2019-12-31 16:45:03 +01:00
neighbour.h
Exempt multicast addresses from five-second neighbor lifetime
2020-11-24 13:28:56 +01:00
net_failover.h
net_namespace.h
net: make get_net_ns return error if NET_NS is disabled
2021-06-23 14:41:25 +02:00
net_ratelimit.h
netevent.h
net: ipv4: Notify about changes to ip_forward_update_priority
2018-08-01 09:52:30 -07:00
netlabel.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13
2019-05-21 11:28:45 +02:00
netlink.h
netlink: Fix nlmsg_parse as a wrapper for strict message parsing
2019-08-13 20:37:16 -07:00
netprio_cgroup.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
netrom.h
net: netrom: Fix error cleanup path of nr_proto_init
2019-04-11 13:59:49 -07:00
nexthop.h
net: ipv4: Fix rtnexthop len when RTA_FLOW is present
2021-10-06 15:42:33 +02:00
nl802154.h
nsh.h
p8022.h
page_pool.h
mm: fix struct page layout on 32-bit systems
2021-05-19 10:08:31 +02:00
ping.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
pkt_cls.h
net_sched: fix ops->bind_class() implementations
2020-02-01 09:34:38 +00:00
pkt_sched.h
net: prevent user from passing illegal stab size
2021-10-17 10:42:34 +02:00
pptp.h
protocol.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
psample.h
psample: Add a fwd declaration for skbuff
2021-08-18 08:56:59 +02:00
psnap.h
raw.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
rawv6.h
red.h
sch_red: fix off-by-one checks in red_check_params()
2021-04-14 08:24:14 +02:00
regulatory.h
cfg80211: make wmm_rule part of the reg_rule structure
2018-08-28 11:11:47 +02:00
request_sock.h
net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head
2019-10-09 21:34:31 -07:00
rose.h
route.h
ipv4: Revert removal of rt_uses_gateway
2019-09-20 18:23:33 -07:00
rsi_91x.h
rtnetlink.h
can: dev: Move device back to init netns on owning netns delete
2021-03-30 14:35:29 +02:00
rtnh.h
net: Rename net/nexthop.h net/rtnh.h
2019-04-22 21:47:25 -07:00
sch_generic.h
net: sched: add barrier to ensure correct ordering for lockless qdisc
2021-07-14 16:53:31 +02:00
scm.h
pids: Compute task_tgid using signal->leader_pid
2018-07-21 10:43:12 -05:00
secure_seq.h
seg6_hmac.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
seg6_local.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
seg6.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
slhc_vj.h
smc.h
net/smc: add smcd support to the pnet table
2019-02-21 10:34:37 -08:00
snmp.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
sock_reuseport.h
udp: correct reuseport selection with connected sockets
2019-09-16 09:02:18 +02:00
sock.h
af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
2021-10-06 15:42:35 +02:00
Space.h
stp.h
strparser.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
switchdev.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
tcp_states.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
tcp.h
tcp: fix SO_RCVLOWAT related hangs under mem pressure
2021-03-04 10:26:17 +01:00
timewait_sock.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
tipc.h
tls.h
net/tls: Protect from calling tls_dev_del for TLS RX twice
2020-12-08 10:40:23 +01:00
transp_v6.h
ipv6: fold sockcm_cookie into ipcm6_cookie
2018-07-07 10:58:49 +09:00
tso.h
tun_proto.h
udp_tunnel.h
ipv6: Move ipv6 stubs to a separate header file
2019-03-29 10:53:45 -07:00
udp.h
udp: document udp_rcv_segment special case for looped packets
2020-05-10 10:31:33 +02:00
udplite.h
vsock_addr.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 321
2019-06-05 17:37:05 +02:00
vxlan.h
vxlan: add adjacent link to limit depth level
2019-10-24 14:53:49 -07:00
wext.h
wimax.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 268
2019-06-05 17:30:29 +02:00
x25.h
x25device.h
xdp_priv.h
page_pool: do not release pool until inflight == 0.
2019-12-18 16:09:07 +01:00
xdp_sock.h
xsk: add support to allow unaligned chunk placement
2019-08-31 01:08:26 +02:00
xdp.h
xdp: page_pool related fix to cpumap
2019-06-19 11:23:13 -04:00
xfrm.h
xfrm: xfrm_state_mtu should return at least 1280 for ipv6
2021-07-14 16:53:26 +02:00