Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_google_msm/drivers/net
History
Peter Hurley 270c07a82d wan/x25: Fix use-after-free in x25_asy_open_tty() 
commit ee9159ddce14bc1dec9435ae4e3bd3153e783706 upstream.

The N_X25 line discipline may access the previous line discipline's closed
and already-freed private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1]
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Zefan Li <lizefan@huawei.com>
2016-10-26 23:15:33 +08:00
..
appletalk
arcnet arcnet: cleanup sizeof parameter 2013-08-11 15:38:44 -07:00
bonding bonding: Remove debug_fs files when module init fails 2014-06-07 16:01:59 -07:00
caif
can can: sja1000: clear interrupts on start 2016-10-26 23:15:32 +08:00
cris
dsa
ethernet niu: don't count tx error twice in case of headroom realloc fails 2016-03-21 09:17:48 +08:00
fddi
hamradio hamradio/yam: fix info leak in ioctl 2014-01-15 15:27:11 -08:00
hippi
hyperv netvsc: don't flush peers notifying work during setting mtu 2014-01-15 15:27:11 -08:00
irda
phy broadcom: fix PHY_ID_BCM5481 entry in the id table 2016-10-26 23:15:30 +08:00
plip
ppp ppp, slip: Validate VJ compression slot parameters completely 2016-03-21 09:17:54 +08:00
slip ppp, slip: Validate VJ compression slot parameters completely 2016-03-21 09:17:54 +08:00
team team: fix possible null pointer dereference in team_handle_frame 2015-06-19 11:40:18 +08:00
tokenring
usb net: asix: add missing flag to struct driver_info 2014-03-11 16:10:11 -07:00
vmxnet3 vmxnet3: fix building without CONFIG_PCI_MSI 2014-03-23 21:37:07 -07:00
wan wan/x25: Fix use-after-free in x25_asy_open_tty() 2016-10-26 23:15:33 +08:00
wimax skb: Add inline helper for getting the skb end offset from head 2014-06-07 16:02:00 -07:00
wireless mwifiex: fix mwifiex_rdeeprom_read() 2016-10-26 23:15:23 +08:00
xen-netback xen: netback: read hotplug script once at start of day. 2015-06-19 11:40:35 +08:00
dummy.c dummy: fix oops when loading the dummy failed 2013-07-28 16:26:07 -07:00
eql.c
ifb.c ifb: fix oops when loading the ifb failed 2013-07-28 16:26:08 -07:00
Kconfig
LICENSE.SRC
loopback.c net: loopback: fix a dst refcounting issue 2013-02-14 10:49:04 -08:00
macvlan.c macvlan: fix leak in macvlan_handle_frame 2016-10-26 23:15:29 +08:00
macvtap.c drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets 2015-02-02 17:05:26 +08:00
Makefile
mdio.c
mii.c
netconsole.c netconsole: don't call __netpoll_cleanup() while atomic 2013-03-28 12:11:52 -07:00
rionet.c
sb1000.c
Space.c
sungem_phy.c
tun.c drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets 2015-02-02 17:05:26 +08:00
veth.c
virtio_net.c virtio-net: drop NETIF_F_FRAGLIST 2016-03-21 09:17:54 +08:00
xen-netfront.c xen-netfront: reduce gso_max_size to account for max TCP header 2014-06-07 16:02:15 -07:00