Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-09-21 03:43:03 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net
History
Alexander Potapenko dd1da0ce0d UPSTREAM: ipv4, ipv6: ensure raw socket message is big enough to hold an IP header 
raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied
from the userspace contains the IPv4/IPv6 header, so if too few bytes are
copied, parts of the header may remain uninitialized.

This bug has been detected with KMSAN.

For the record, the KMSAN report:

==================================================================
BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0
inter: 0
CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x143/0x1b0 lib/dump_stack.c:52
 kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078
 __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510
 nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577
 ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
 nf_hook_entry_hookfn ./include/linux/netfilter.h:102
 nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310
 nf_hook ./include/linux/netfilter.h:212
 NF_HOOK ./include/linux/netfilter.h:255
 rawv6_send_hdrinc net/ipv6/raw.c:673
 rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919
 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633
 sock_sendmsg net/socket.c:643
 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
 SyS_sendto+0xbc/0xe0 net/socket.c:1664
 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
 entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
RIP: 0033:0x436e03
RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000
origin: 00000000d9400053
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362
 kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257
 kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270
 slab_alloc_node mm/slub.c:2735
 __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341
 __kmalloc_reserve net/core/skbuff.c:138
 __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
 alloc_skb ./include/linux/skbuff.h:933
 alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678
 sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903
 sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920
 rawv6_send_hdrinc net/ipv6/raw.c:638
 rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919
 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633
 sock_sendmsg net/socket.c:643
 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
 SyS_sendto+0xbc/0xe0 net/socket.c:1664
 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
 return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
==================================================================

, triggered by the following syscalls:
  socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
  sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM

A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket
instead of a PF_INET6 one.

Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 86f4c90a1c5c1493f07f2d12c1079f5bf01936f2)

Bug: 65023306
Change-Id: I19ac32e9e53e6339cd02ef0815b2552ab0c14daf
Signed-off-by: Greg Hackmann <ghackmann@google.com>
2019-07-27 21:45:57 +02:00
..
9p 9p: forgetting to cancel request on interrupted zero-copy RPC 2015-08-03 09:29:47 -07:00
802
8021q
appletalk
atm
ax25 Import latest Samsung release 2017-04-18 03:43:52 +02:00
batman-adv batman-adv: Fix broadcast/ogm queue limit on a removed interface 2016-06-07 10:42:53 +02:00
bluetooth Bluetooth: Prevent stack info leak from the EFS element. 2019-07-27 21:45:54 +02:00
bridge Revert "netfilter: ensure number of counters is >0 in do_replace()" 2019-07-27 21:41:44 +02:00
caif net/unix: sk_socket can disappear when state is unlocked 2015-09-16 18:20:18 +05:30
can can: add missing initialisations in CAN related skbuffs 2015-03-26 15:00:58 +01:00
ceph libceph: introduce ceph_crypt() for in-place en/decryption 2017-04-22 23:02:50 +02:00
core tun: call dev_get_valid_name() before register_netdevice() 2019-07-27 21:45:50 +02:00
dcb
dccp dccp: CVE-2017-8824: use-after-free in DCCP code 2019-07-27 21:45:45 +02:00
decnet Import latest Samsung release 2017-04-18 03:43:52 +02:00
dns_resolver
dsa
ethernet
ieee802154
ipc_router net: ipc_router: Remove duplicate client port check 2017-04-22 23:02:47 +02:00
ipv4 UPSTREAM: ipv4, ipv6: ensure raw socket message is big enough to hold an IP header 2019-07-27 21:45:57 +02:00
ipv6 UPSTREAM: ipv4, ipv6: ensure raw socket message is big enough to hold an IP header 2019-07-27 21:45:57 +02:00
ipx ipx: call ipxitf_put() in ioctl error path 2018-01-21 21:05:49 -08:00
irda irda: Fix lockdep annotations in hashbin_delete(). 2017-04-22 23:02:49 +02:00
iucv
key af_key: Fix slab-out-of-bounds in pfkey_compile_policy. 2019-07-27 21:44:45 +02:00
l2tp l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6 2019-07-27 21:45:43 +02:00
lapb
llc net/llc: avoid BUG_ON() in skb_orphan() 2017-04-22 23:03:00 +02:00
mac80211 mac80211: use constant time comparison with keys 2019-07-27 21:45:47 +02:00
mac802154
netfilter netfilter: xt_osf: Add missing permission checks 2019-07-27 21:45:53 +02:00
netlabel netlabel: add address family checks to netlbl_{sock,req}_delattr() 2019-07-27 21:41:59 +02:00
netlink netlink: Fix dump skb leak/double free 2017-04-22 23:02:56 +02:00
netrom
nfc
openvswitch
packet packet: only test po->has_vnet_hdr once in packet_snd 2019-07-27 21:45:34 +02:00
phonet This is the 3.10.96 stable release 2017-04-18 17:16:02 +02:00
rds This is the 3.10.99 stable release 2017-04-18 17:17:46 +02:00
rfkill net: rfkill: Do not ignore errors from regulator_enable() 2019-07-27 21:42:01 +02:00
rmnet_data net: rmnet_data: Add support to configure custom device name 2018-09-05 18:14:57 +02:00
rose
rxrpc rxrpc: Fix several cases where a padded len isn't checked in ticket decode 2019-07-27 21:44:13 +02:00
sched sch_fq_codel: avoid double free on init failure 2019-07-27 21:45:13 +02:00
sctp sctp: fix a type cast warnings that causes a_rwnd gets the wrong value 2019-07-27 21:45:39 +02:00
sunrpc svcrpc: fix oops in absence of krb5 module 2019-07-27 21:43:03 +02:00
tipc net/tipc: initialize security state for new connection socket 2015-10-01 12:07:35 +02:00
unix net/unix: don't show information about sockets from other namespaces 2019-07-27 21:45:50 +02:00
vmw_vsock VSOCK: do not disconnect socket when peer has shutdown SEND only 2016-06-07 10:42:54 +02:00
wimax
wireless cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES 2019-07-27 21:44:37 +02:00
x25 net: fix a kernel infoleak in x25 module 2016-06-07 10:42:54 +02:00
xfrm ipsec: Fix aborted xfrm policy dump crash 2019-07-27 21:45:39 +02:00
activity_stats.c
compat.c net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour 2015-03-26 15:00:56 +01:00
Kconfig
Makefile
nonet.c
socket.c net: socket: fix recvmmsg not returning error from sock_error 2019-07-27 21:43:06 +02:00
sysctl_net.c