Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/net/core
History
Eric Dumazet c4cd7fe732 net: make skb_partial_csum_set() more robust against overflows 
commit 52b5d6f5dcf0e5201392f7d417148ccb537dbf6f upstream.

syzbot managed to crash in skb_checksum_help() [1] :

        BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb));

Root cause is the following check in skb_partial_csum_set()

	if (unlikely(start > skb_headlen(skb)) ||
	    unlikely((int)start + off > skb_headlen(skb) - 2))
		return false;

If skb_headlen(skb) is 1, then (skb_headlen(skb) - 2) becomes 0xffffffff
and the check fails to detect that ((int)start + off) is off the limit,
since the compare is unsigned.

When we fix that, then the first condition (start > skb_headlen(skb))
becomes obsolete.

Then we should also check that (skb_headroom(skb) + start) wont
overflow 16bit field.

[1]
kernel BUG at net/core/dev.c:2880!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7330 Comm: syz-executor4 Not tainted 4.19.0-rc6+ #253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
RSP: 0018:ffff8801d83a6f60 EFLAGS: 00010293
RAX: ffff8801b9834380 RBX: ffff8801b9f8d8c0 RCX: ffffffff8608c6d7
RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
RBP: ffff8801d83a7068 R08: ffff8801b9834380 R09: 0000000000000000
R10: ffff8801d83a76d8 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
FS:  00007f1a66db5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7d77f091b0 CR3: 00000001ba252000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 skb_csum_hwoffload_help+0x8f/0xe0 net/core/dev.c:3269
 validate_xmit_skb+0xa2a/0xf30 net/core/dev.c:3312
 __dev_queue_xmit+0xc2f/0x3950 net/core/dev.c:3797
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
 packet_snd net/packet/af_packet.c:2928 [inline]
 packet_sendmsg+0x422d/0x64c0 net/packet/af_packet.c:2953

Fixes: 5ff8dda303 ("net: Ensure partial checksum offset is inside the skb head")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 		2019-07-27 21:53:15 +02:00
..
Makefile
datagram.c Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
dev.c UPSTREAM: net: remove open-coded skb_cow_head. 2019-07-27 21:51:06 +02:00
dev_addr_lists.c net: fix uninit-value in __hw_addr_add_ex() 2019-07-27 21:49:08 +02:00
dev_ioctl.c
drop_monitor.c drop_monitor: consider inserted data in genlmsg_end 2019-07-27 21:43:42 +02:00
dst.c net: ratelimit warnings about dst entry refcount underflow or overflow 2019-07-27 21:42:33 +02:00
ethtool.c Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
fib_rules.c net: core: add UID to flows, rules, and routes 2019-07-27 21:50:59 +02:00
filter.c tcp: take care of truncations done by sk_filter() 2019-07-27 21:42:33 +02:00
flow.c
flow_dissector.c
gen_estimator.c
gen_stats.c
iovec.c iovec: make sure the caller actually wants anything in memcpy_fromiovecend 2019-07-27 21:45:59 +02:00
link_watch.c
neighbour.c net: fix deadlock while clearing neighbor proxy table 2019-07-27 21:52:24 +02:00
net-procfs.c
net-sysfs.c
net-sysfs.h
net-traces.c
net_namespace.c
netevent.c
netpoll.c
netprio_cgroup.c
pktgen.c net: pktgen: fix race between pktgen_thread_worker() and kthread_stop() 2015-10-01 12:07:35 +02:00
request_sock.c
rtnetlink.c rtnetlink: validate attributes in do_setlink() 2019-07-27 21:52:49 +02:00
scm.c This is the 3.10.95 stable release 2017-04-18 17:14:54 +02:00
secure_seq.c
skbuff.c net: make skb_partial_csum_set() more robust against overflows 2019-07-27 21:53:15 +02:00
sock.c net: core: Add a UID field to struct sock. 2019-07-27 21:50:58 +02:00
sock_diag.c net: diag: Add the ability to destroy a socket. 2016-05-18 14:36:07 +05:30
sockev_nlmcast.c Send only BIND and LISTEN events. 2015-12-09 23:39:38 -08:00
stream.c
sysctl_net_core.c
timestamping.c
user_dma.c
utils.c