redonkable
/
remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/net
History
Willem de Bruijn 9e9f27e0d7 packet: refine ring v3 block size test to hold one frame 
commit 4576cd469d upstream.

TPACKET_V3 stores variable length frames in fixed length blocks.
Blocks must be able to store a block header, optional private space
and at least one minimum sized frame.

Frames, even for a zero snaplen packet, store metadata headers and
optional reserved space.

In the block size bounds check, ensure that the frame of the
chosen configuration fits. This includes sockaddr_ll and optional
tp_reserve.

Syzbot was able to construct a ring with insuffient room for the
sockaddr_ll in the header of a zero-length frame, triggering an
out-of-bounds write in dev_parse_header.

Convert the comparison to less than, as zero is a valid snap len.
This matches the test for minimum tp_frame_size immediately below.

Fixes: f6fb8f100b ("af-packet: TPACKET_V3 flexible buffer implementation.")
Fixes: eb73190f4f ("net/packet: refine check for priv area size")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2018-08-24 13:09:22 +02:00
..
6lowpan License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
9p 9p/trans_virtio: discard zero-length reply 2018-02-22 15:42:30 +01:00
802 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
8021q net: fix use-after-free in GRO with ESP 2018-07-22 14:28:44 +02:00
appletalk License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atm atm: Preserve value of skb->truesize when accounting to vcc 2018-07-22 14:28:43 +02:00
ax25 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
batman-adv batman-adv: Fix multicast TT issues with bogus ROAM flags 2018-08-24 13:09:05 +02:00
bluetooth Bluetooth: avoid killing an already killed socket 2018-08-22 07:46:11 +02:00
bpf bpf: Align packet data properly in program testing framework. 2017-05-02 11:46:28 -04:00
bridge netfilter: ebtables: reject non-bridge targets 2018-07-22 14:28:49 +02:00
caif License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
can can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once 2018-01-23 19:58:17 +01:00
ceph libceph, ceph: avoid memory leak when specifying same option several times 2018-05-30 07:52:04 +02:00
core net: propagate dev_get_valid_name return code 2018-08-24 13:09:02 +02:00
dcb rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
dccp dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() 2018-08-22 07:46:08 +02:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:07:52 +01:00
dns_resolver KEYS: DNS: fix parsing multiple options 2018-07-22 14:28:49 +02:00
dsa net: dsa: Do not suspend/resume closed slave_dev 2018-08-06 16:20:48 +02:00
ethernet networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
hsr net/hsr: Check skb_put_padto() return value 2017-08-22 13:40:23 -07:00
ieee802154 ieee802154: 6lowpan: set IFLA_LINK 2018-08-24 13:09:12 +02:00
ife net: sched: ife: check on metadata length 2018-04-29 11:33:13 +02:00
ipv4 tcp: identify cryptic messages as TCP seq # bugs 2018-08-24 13:09:19 +02:00
ipv6 ipv6: make ipv6_renew_options() interrupt/kernel safe 2018-08-24 13:09:13 +02:00
ipx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iucv net/iucv: Free memory obtained by kzalloc 2018-03-31 18:10:41 +02:00
kcm kcm: Fix use-after-free caused by clonned sockets 2018-06-11 22:49:19 +02:00
key af_key: Always verify length of provided sadb_key 2018-06-16 09:45:14 +02:00
l2tp l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache 2018-08-22 07:46:08 +02:00
l3mdev
lapb net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
llc llc: use refcount_inc_not_zero() for llc_sap_find() 2018-08-22 07:46:08 +02:00
mac80211 mac80211: use timeout from the AddBA response instead of the request 2018-06-21 04:02:55 +09:00
mac802154 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mpls mpls, nospec: Sanitize array index in mpls_label_ok() 2018-02-22 15:42:28 +01:00
ncsi net/ncsi: Fix length of GVI response packet 2017-10-21 01:56:38 +01:00
netfilter netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state 2018-08-24 13:09:22 +02:00
netlabel netlabel: If PF_INET6, check sk_buff ip header version 2018-05-30 07:52:40 +02:00
netlink netlink: Don't shift on 64 for ngroups 2018-08-09 12:16:38 +02:00
netrom net, netrom: convert nr_node.refcount from atomic_t to refcount_t 2017-07-04 22:35:17 +01:00
nfc net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL. 2018-07-22 14:28:49 +02:00
nsh nsh: set mac len based on inner packet 2018-07-22 14:28:49 +02:00
openvswitch openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found 2018-05-19 10:20:24 +02:00
packet packet: refine ring v3 block size test to hold one frame 2018-08-24 13:09:22 +02:00
phonet License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
psample MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
qrtr net: qrtr: Broadcast messages only from control port 2018-08-24 13:09:13 +02:00
rds rds: avoid unenecessary cong_update in loop transport 2018-07-22 14:28:49 +02:00
rfkill rfkill: gpio: fix memory leak in probe error path 2018-05-16 10:10:26 +02:00
rose net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
rxrpc rxrpc: Fix user call ID check in rxrpc_service_prealloc_one 2018-08-06 16:20:48 +02:00
sched net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is used 2018-08-24 13:09:14 +02:00
sctp sctp: fix erroneous inc of snmp SctpFragUsrMsgs 2018-08-24 13:09:03 +02:00
smc smc: fix sendpage() call 2018-06-21 04:02:53 +09:00
strparser strparser: Remove early eaten to fix full tcp receive buffer stall 2018-07-22 14:28:47 +02:00
sunrpc xprtrdma: Fix corner cases when handling device removal 2018-07-22 14:28:42 +02:00
switchdev net: switchdev: Remove bridge bypass support from switchdev 2017-08-07 14:48:48 -07:00
tipc tipc: eliminate KMSAN uninit-value in strcmp complaint 2018-06-21 04:02:56 +09:00
tls sock: fix sg page frag coalescing in sk_alloc_sg 2018-07-28 07:55:42 +02:00
unix License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
vmw_vsock vsock: split dwork to avoid reinitializations 2018-08-22 07:46:08 +02:00
wimax License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wireless nl80211: check nla_parse_nested() return values 2018-08-24 13:09:09 +02:00
x25 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm xfrm_user: prevent leaking 2 bytes of kernel memory 2018-08-24 13:09:21 +02:00
Kconfig net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros. 2017-09-04 13:25:20 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
compat.c net: support compat 64-bit time in {s,g}etsockopt 2018-05-19 10:20:24 +02:00
socket.c net: socket: fix potential spectre v1 gadget in socketcall 2018-08-06 16:20:48 +02:00
sysctl_net.c sysctl: Remove dead register_sysctl_root 2017-04-16 23:42:49 -05:00