Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-11-01 02:21:16 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net
History
Mike Maloney 39ffc27b5c BACKPORT: ipv6: fix udpv6 sendmsg crash caused by too small MTU 
The logic in __ip6_append_data() assumes that the MTU is at least large
enough for the headers.  A device's MTU may be adjusted after being
added while sendmsg() is processing data, resulting in
__ip6_append_data() seeing any MTU.  For an mtu smaller than the size of
the fragmentation header, the math results in a negative 'maxfraglen',
which causes problems when refragmenting any previous skb in the
skb_write_queue, leaving it possibly malformed.

Instead sendmsg returns EINVAL when the mtu is calculated to be less
than IPV6_MIN_MTU.

Found by syzkaller:
kernel BUG at ./include/linux/skbuff.h:2064!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d0b68580 task.stack: ffff8801ac6b8000
RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline]
RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617
RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216
RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000
RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0
RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000
R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8
R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000
FS:  00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ip6_finish_skb include/net/ipv6.h:911 [inline]
 udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093
 udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:643
 SYSC_sendto+0x352/0x5a0 net/socket.c:1750
 SyS_sendto+0x40/0x50 net/socket.c:1718
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4512e9
RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9
RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005
RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c
R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69
R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000
Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba
RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570
RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Mike Maloney <maloney@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 749439bfac6e1a2932c582e2699f91d329658196)

Bug: 65023306
Change-Id: I3b713621c749b7fd3a070116be8996ae2e2dd6e8
Signed-off-by: Greg Hackmann <ghackmann@google.com>
2019-07-27 21:46:07 +02:00
..
9p
802
8021q
appletalk
atm
ax25
batman-adv
bluetooth Bluetooth: Prevent stack info leak from the EFS element. 2019-07-27 21:45:54 +02:00
bridge
caif
can
ceph
core iovec: make sure the caller actually wants anything in memcpy_fromiovecend 2019-07-27 21:45:59 +02:00
dcb
dccp dccp: CVE-2017-8824: use-after-free in DCCP code 2019-07-27 21:45:45 +02:00
decnet
dns_resolver
dsa
ethernet
ieee802154
ipc_router
ipv4 UPSTREAM: ipv4, ipv6: ensure raw socket message is big enough to hold an IP header 2019-07-27 21:45:57 +02:00
ipv6 BACKPORT: ipv6: fix udpv6 sendmsg crash caused by too small MTU 2019-07-27 21:46:07 +02:00
ipx
irda
iucv
key af_key: Fix slab-out-of-bounds in pfkey_compile_policy. 2019-07-27 21:44:45 +02:00
l2tp l2tp: initialise PPP sessions before registering them 2019-07-27 21:46:03 +02:00
lapb
llc
mac80211 mac80211: use constant time comparison with keys 2019-07-27 21:45:47 +02:00
mac802154
netfilter netfilter: xt_TCPMSS: correct return value in tcpmss_mangle_packet 2019-07-27 21:46:06 +02:00
netlabel
netlink
netrom
nfc
openvswitch
packet packet: only test po->has_vnet_hdr once in packet_snd 2019-07-27 21:45:34 +02:00
phonet
rds
rfkill
rmnet_data
rose
rxrpc rxrpc: Fix several cases where a padded len isn't checked in ticket decode 2019-07-27 21:44:13 +02:00
sched sch_fq_codel: avoid double free on init failure 2019-07-27 21:45:13 +02:00
sctp sctp: fix a type cast warnings that causes a_rwnd gets the wrong value 2019-07-27 21:45:39 +02:00
sunrpc svcrpc: fix oops in absence of krb5 module 2019-07-27 21:43:03 +02:00
tipc
unix net/unix: don't show information about sockets from other namespaces 2019-07-27 21:45:50 +02:00
vmw_vsock
wimax
wireless cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES 2019-07-27 21:44:37 +02:00
x25
xfrm ipsec: Fix aborted xfrm policy dump crash 2019-07-27 21:45:39 +02:00
activity_stats.c
compat.c
Kconfig
Makefile
nonet.c
socket.c net: socket: fix recvmmsg not returning error from sock_error 2019-07-27 21:43:06 +02:00
sysctl_net.c