Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net/ipv6
History
Eric Dumazet 2037ffd53c ipv6: sit: better validate user provided tunnel names 
commit b95211e066fc3494b7c115060b2297b4ba21f025 upstream.

Use dev_valid_name() to make sure user does not provide illegal
device name.

syzbot caught the following bug :

BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453

CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b9/0x29f lib/dump_stack.c:53
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x37/0x50 mm/kasan/kasan.c:303
 strlcpy include/linux/string.h:300 [inline]
 ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
 ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221
 dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
 dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
 sock_ioctl+0x47e/0x680 net/socket.c:1015
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 SYSC_ioctl fs/ioctl.c:708 [inline]
 SyS_ioctl+0x24/0x30 fs/ioctl.c:706
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 		2019-07-27 21:52:03 +02:00
..
netfilter Revert "netfilter: have ip*t REJECT set the sock err when an icmp is to be sent" 2019-07-27 21:51:03 +02:00
Kconfig
Makefile
addrconf.c BACKPORT: ipv6 addrconf: implement RFC7559 router solicitation backoff 2019-07-27 21:51:04 +02:00
addrconf_core.c
addrlabel.c ipv6/addrlabel: fix ip6addrlbl_get() 2016-01-28 21:49:33 -08:00
af_inet6.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
ah6.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
anycast.c ipv6: fix rtnl locking in setsockopt for anycast and multicast 2019-07-27 21:42:28 +02:00
datagram.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
esp6.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
exthdrs.c ipv6: add complete rcu protection around np->opt 2016-09-09 02:36:40 -07:00
exthdrs_core.c This is the 3.10.102 stable release 2017-04-18 17:22:08 +02:00
exthdrs_offload.c ipv6: fix exthdrs offload registration in out_rt path 2015-10-01 12:07:38 +02:00
fib6_rules.c
icmp.c ipv6: fix endianness error in icmpv6_err 2019-07-27 21:51:03 +02:00
inet6_connection_sock.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
inet6_hashtables.c
ip6_checksum.c
ip6_fib.c ipv6: fix sparse warning on rt6i_node 2019-07-27 21:45:09 +02:00
ip6_flowlabel.c
ip6_gre.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
ip6_icmp.c
ip6_input.c ipv6: Make MLD packets to only be processed locally 2015-10-01 12:07:34 +02:00
ip6_offload.c ipv6: Fix leak in ipv6_gso_segment(). 2019-07-27 21:44:50 +02:00
ip6_offload.h
ip6_output.c ipv6: fix possible use-after-free in ip6_xmit() 2019-07-27 21:51:55 +02:00
ip6_tunnel.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
ip6mr.c ip6mr: fix notification device destruction 2019-07-27 21:44:08 +02:00
ipcomp6.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
ipv6_sockglue.c netfilter: drop outermost socket lock in getsockopt() 2019-07-27 21:49:20 +02:00
mcast.c ipv6: fix rtnl locking in setsockopt for anycast and multicast 2019-07-27 21:42:28 +02:00
mip6.c
ndisc.c net: ipv6: Add sysctl for minimum prefix len acceptable in RIOs. 2019-07-27 21:51:03 +02:00
netfilter.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
output_core.c ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() 2019-07-27 21:45:02 +02:00
ping.c net: ipv6: Fix ping to link-local addresses. 2019-07-27 21:51:02 +02:00
proc.c
protocol.c
raw.c net: raw: do not report ICMP redirects to user space 2019-07-27 21:51:42 +02:00
reassembly.c net: disable fragment reassembly if high_thresh is set to zero 2019-07-27 21:42:34 +02:00
route.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
sit.c ipv6: sit: better validate user provided tunnel names 2019-07-27 21:52:03 +02:00
syncookies.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
sysctl_net_ipv6.c
tcp_ipv6.c net: inet: Support UID-based routing in IP protocols. 2019-07-27 21:50:59 +02:00
tcpv6_offload.c
tunnel6.c
udp.c net: udp: do not report ICMP redirects to user space 2019-07-27 21:51:42 +02:00
udp_impl.h
udp_offload.c net: avoid skb_warn_bad_offload false positives on UFO 2019-07-27 21:45:23 +02:00
udplite.c
xfrm6_input.c xfrm: Reinject transport-mode packets through tasklet 2019-07-27 21:46:20 +02:00
xfrm6_mode_beet.c
xfrm6_mode_ro.c ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() 2019-07-27 21:44:48 +02:00
xfrm6_mode_transport.c ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() 2019-07-27 21:44:48 +02:00
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c BACKPORT: net: xfrm: support setting an output mark. 2019-07-27 21:51:33 +02:00
xfrm6_state.c
xfrm6_tunnel.c