Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net
History
Eric Dumazet c4cd7fe732 net: make skb_partial_csum_set() more robust against overflows 
commit 52b5d6f5dcf0e5201392f7d417148ccb537dbf6f upstream.

syzbot managed to crash in skb_checksum_help() [1] :

        BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb));

Root cause is the following check in skb_partial_csum_set()

	if (unlikely(start > skb_headlen(skb)) ||
	    unlikely((int)start + off > skb_headlen(skb) - 2))
		return false;

If skb_headlen(skb) is 1, then (skb_headlen(skb) - 2) becomes 0xffffffff
and the check fails to detect that ((int)start + off) is off the limit,
since the compare is unsigned.

When we fix that, then the first condition (start > skb_headlen(skb))
becomes obsolete.

Then we should also check that (skb_headroom(skb) + start) wont
overflow 16bit field.

[1]
kernel BUG at net/core/dev.c:2880!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7330 Comm: syz-executor4 Not tainted 4.19.0-rc6+ #253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
RSP: 0018:ffff8801d83a6f60 EFLAGS: 00010293
RAX: ffff8801b9834380 RBX: ffff8801b9f8d8c0 RCX: ffffffff8608c6d7
RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
RBP: ffff8801d83a7068 R08: ffff8801b9834380 R09: 0000000000000000
R10: ffff8801d83a76d8 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
FS:  00007f1a66db5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7d77f091b0 CR3: 00000001ba252000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 skb_csum_hwoffload_help+0x8f/0xe0 net/core/dev.c:3269
 validate_xmit_skb+0xa2a/0xf30 net/core/dev.c:3312
 __dev_queue_xmit+0xc2f/0x3950 net/core/dev.c:3797
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
 packet_snd net/packet/af_packet.c:2928 [inline]
 packet_sendmsg+0x422d/0x64c0 net/packet/af_packet.c:2953

Fixes: 5ff8dda303 ("net: Ensure partial checksum offset is inside the skb head")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 		2019-07-27 21:53:15 +02:00
..
9p 9p: forgetting to cancel request on interrupted zero-copy RPC 2015-08-03 09:29:47 -07:00
802
8021q
appletalk
atm
ax25 Import latest Samsung release 2017-04-18 03:43:52 +02:00
batman-adv batman-adv: Fix broadcast/ogm queue limit on a removed interface 2016-06-07 10:42:53 +02:00
bluetooth Bluetooth: hidp: Fix handling of strncpy for hid->name information 2019-07-27 21:51:39 +02:00
bridge netfilter: ebtables: handle string from userspace with care 2019-07-27 21:52:09 +02:00
caif net/unix: sk_socket can disappear when state is unlocked 2015-09-16 18:20:18 +05:30
can can: add missing initialisations in CAN related skbuffs 2015-03-26 15:00:58 +01:00
ceph libceph: introduce ceph_crypt() for in-place en/decryption 2017-04-22 23:02:50 +02:00
core net: make skb_partial_csum_set() more robust against overflows 2019-07-27 21:53:15 +02:00
dcb
dccp dccp: check sk for closed state in dccp_sendmsg() 2019-07-27 21:49:52 +02:00
decnet Import latest Samsung release 2017-04-18 03:43:52 +02:00
dns_resolver KEYS: DNS: fix parsing multiple options 2019-07-27 21:52:57 +02:00
dsa
ethernet
ieee802154
ipc_router net: ipc_router: Fix buffer overflow during memcpy 2019-07-27 21:51:21 +02:00
ipv4 igmp: fix incorrect unsolicit report count after link down and up 2019-07-27 21:53:12 +02:00
ipv6 ipv6: take rcu lock in rawv6_send_hdrinc() 2019-07-27 21:53:14 +02:00
ipx ipx: call ipxitf_put() in ioctl error path 2018-01-21 21:05:49 -08:00
irda irda: Fix lockdep annotations in hashbin_delete(). 2017-04-22 23:02:49 +02:00
iucv
key af_key: fix buffer overread in parse_exthdrs() 2019-07-27 21:46:23 +02:00
l2tp l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() 2019-07-27 21:52:59 +02:00
lapb
llc llc: better deal with too small mtu 2019-07-27 21:52:24 +02:00
mac80211 mac80211: use constant time comparison with keys 2019-07-27 21:45:47 +02:00
mac802154
netfilter netfilter: nf_queue: augment nfqa_cfg_policy 2019-07-27 21:52:53 +02:00
netlabel netlabel: add address family checks to netlbl_{sock,req}_delattr() 2019-07-27 21:41:59 +02:00
netlink BACKPORT: netlink: add a start callback for starting a netlink dump 2019-07-27 21:51:36 +02:00
netrom
nfc NFC: llcp: Limit size of SDP URI 2019-07-27 21:51:24 +02:00
openvswitch
packet packet: fix bitfield update race 2019-07-27 21:52:20 +02:00
phonet This is the 3.10.96 stable release 2017-04-18 17:16:02 +02:00
rds This is the 3.10.99 stable release 2017-04-18 17:17:46 +02:00
rfkill net: rfkill: Do not ignore errors from regulator_enable() 2019-07-27 21:42:01 +02:00
rmnet_data net: rmnet_data: Change the log level for unknown IOCTL's 2019-07-27 21:51:01 +02:00
rose
rxrpc rxrpc: Fix several cases where a padded len isn't checked in ticket decode 2019-07-27 21:44:13 +02:00
sched sch_fq_codel: avoid double free on init failure 2019-07-27 21:45:13 +02:00
sctp sctp: fix a type cast warnings that causes a_rwnd gets the wrong value 2019-07-27 21:45:39 +02:00
sunrpc kernel: make groups_sort calling a responsibility group_info allocators 2019-07-27 21:46:18 +02:00
tipc net/tipc: initialize security state for new connection socket 2015-10-01 12:07:35 +02:00
unix net/unix: don't show information about sockets from other namespaces 2019-07-27 21:45:50 +02:00
vmw_vsock VSOCK: do not disconnect socket when peer has shutdown SEND only 2016-06-07 10:42:54 +02:00
wimax
wireless cfg80211: reg: Init wiphy_idx in regulatory_hint_core() 2019-07-27 21:52:37 +02:00
x25 net: fix a kernel infoleak in x25 module 2016-06-07 10:42:54 +02:00
xfrm xfrm_user: prevent leaking 2 bytes of kernel memory 2019-07-27 21:52:54 +02:00
Kconfig
Makefile
activity_stats.c
compat.c net: support compat 64-bit time in {s,g}etsockopt 2019-07-27 21:49:09 +02:00
nonet.c
socket.c net: socket: fix potential spectre v1 gadget in socketcall 2019-07-27 21:52:58 +02:00
sysctl_net.c