korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-11 04:18:39 +08:00
Code Issues Packages Projects Releases Wiki Activity
linux-6.9.y
linux/drivers
History
Si-Wei Liu 73d462a38d tap: add missing verification for short frame 
commit ed7f2afdd0 upstream.

The cited commit missed to check against the validity of the frame length
in the tap_get_user_xdp() path, which could cause a corrupted skb to be
sent downstack. Even before the skb is transmitted, the
tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
than ETH_HLEN. Once transmitted, this could either cause out-of-bound
access beyond the actual length, or confuse the underlayer with incorrect
or inconsistent header length in the skb metadata.

In the alternative path, tap_get_user() already prohibits short frame which
has the length less than Ethernet header size from being transmitted.

This is to drop any frame shorter than the Ethernet header size just like
how tap_get_user() does.

CVE: CVE-2024-41090
Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
Fixes: 0efac27791 ("tap: accept an array of XDP buffs through sendmsg()")
Cc: stable@vger.kernel.org
Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Jason Wang <jasowang@redhat.com>
Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-07-27 11:36:19 +02:00
..
accel accel/ivpu: Fix deadlock in context_xa 2024-04-08 10:55:01 +02:00
accessibility speakup: Fix sizeof() vs ARRAY_SIZE() bug 2024-05-30 09:43:58 +02:00
acpi ACPI: AC: Properly notify powermanagement core about changes 2024-07-25 09:53:20 +02:00
amba
android binder: fix max_thread type inconsistency 2024-05-25 16:30:54 +02:00
ata ata: libata-core: Fix double free on error 2024-07-05 09:38:15 +02:00
atm atm: fore200e: Convert to platform remove callback returning void 2024-03-07 20:36:32 -08:00
auxdisplay auxdisplay: charlcd: Don't rebuild when CONFIG_PANEL_BOOT_MESSAGE=y 2024-04-11 13:34:29 +03:00
base regmap-i2c: Subtract reg size from max_write 2024-07-11 12:51:22 +02:00
bcma
block loop: Disable fallocate() zero and discard if not supported 2024-07-25 09:53:28 +02:00
bluetooth Bluetooth: btnxpuart: Enable Power Save feature on startup 2024-07-25 09:53:37 +02:00
bus Char/Misc and other driver subsystem updates for 6.9-rc1 2024-03-21 13:21:31 -07:00
cache cache: sifive_ccache: Silence unused variable warning 2024-04-11 07:28:37 +01:00
cdrom cdrom: rearrange last_media_change check to avoid unintentional overflow 2024-07-11 12:51:06 +02:00
cdx
char hpet: Support 32-bit userspace 2024-07-18 13:22:47 +02:00
clk clk: qcom: apss-ipq-pll: remove 'config_ctl_hi_val' from Stromer pll configs 2024-07-25 09:53:36 +02:00
clocksource A set of updates for clocksource and clockevent drivers: 2024-03-23 14:42:45 -07:00
comedi comedi: vmk80xx: fix incomplete endpoint checking 2024-04-11 15:16:23 +02:00
connector
counter counter: ti-eqep: enable clock at probe 2024-07-05 09:38:06 +02:00
cpufreq cpufreq: Allow drivers to advertise boost enabled 2024-07-18 13:22:52 +02:00
cpuidle RISC-V Patches for the 6.9 Merge Window 2024-03-22 10:41:13 -07:00
crypto crypto: hisilicon/sec2 - fix for register offset 2024-07-11 12:51:03 +02:00
cxl cxl/region: check interleave capability 2024-07-05 09:38:20 +02:00
dax dax/bus.c: use the right locking mode (read vs write) in size_show 2024-05-30 09:44:59 +02:00
dca
devfreq
dio
dma dmaengine: xilinx: xdma: Fix data synchronisation in xdma_channel_isr() 2024-06-27 13:52:29 +02:00
dma-buf dma-buf: handle testing kthreads creation failure 2024-06-21 14:40:33 +02:00
dpll dpll: fix return value check for kmemdup 2024-05-30 09:44:39 +02:00
edac EDAC/igen6: Convert PCIBIOS_* return codes to errnos 2024-06-16 13:51:13 +02:00
eisa
extcon extcon: max8997: select IRQ_DOMAIN instead of depending on it 2024-06-12 11:39:18 +02:00
firewire firewire: ohci: fulfill timestamp for some local asynchronous transaction 2024-04-29 18:41:00 +09:00
firmware efi/libstub: zboot.lds: Discard .discard sections 2024-07-25 09:53:19 +02:00
fpga fpga: region: add owner module and take its refcount 2024-06-12 11:39:13 +02:00
fsi
gnss
gpio gpio: pca953x: fix pca953x_irq_bus_sync_unlock race 2024-07-25 09:53:34 +02:00
gpu drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() 2024-07-27 11:36:15 +02:00
greybus greybus: Fix use-after-free bug in gb_interface_release due to race condition. 2024-06-21 14:40:38 +02:00
hid HID: Ignore battery for ELAN touchscreens 2F2C and 4116 2024-07-25 09:53:25 +02:00
hsi
hte
hv hyperv-fixes for v6.9-rc4 2024-04-11 16:23:56 -07:00
hwmon hwmon: (dell-smm) Add Dell G15 5511 to fan control whitelist 2024-07-11 12:51:23 +02:00
hwspinlock
hwtracing intel_th: pci: Add Lunar Lake support 2024-06-21 14:40:37 +02:00
i2c i2c: testunit: avoid re-issued work after read message 2024-07-18 13:22:55 +02:00
i3c i3c: master: svc: fix invalidate IBI type and miss call client IBI handler 2024-06-16 13:51:12 +02:00
idle
iio iio: trigger: Fix condition for own trigger 2024-07-18 13:22:48 +02:00
infiniband IB/core: Implement a limit on UMAD receive List 2024-07-11 12:50:57 +02:00
input Input: ads7846 - use spi_device_id table 2024-07-25 09:53:33 +02:00
interconnect interconnect: qcom: qcm2290: Fix mas_snoc_bimc QoS port assignment 2024-06-12 11:39:09 +02:00
iommu iommu/amd: Fix GT feature enablement again 2024-07-05 09:38:03 +02:00
ipack
irqchip irqchip/loongson-liointc: Set different ISRs for different cores 2024-07-05 09:38:13 +02:00
isdn mISDN: fix MISDN_TIME_STAMP handling 2024-04-09 17:01:01 -07:00
leds leds: an30259a: Use devm_mutex_init() for mutex initialization 2024-07-11 12:50:55 +02:00
macintosh macintosh/via-macii: Fix "BUG: sleeping function called from invalid context" 2024-05-30 09:44:27 +02:00
mailbox mailbox: mtk-cmdq: Fix pm_runtime_get_sync() warning in mbox shutdown 2024-06-12 11:39:25 +02:00
mcb
md dm-integrity: set discard_granularity to logical block size 2024-06-21 14:40:34 +02:00
media media: dvb-frontends: tda10048: Fix integer overflow 2024-07-11 12:51:03 +02:00
memory Char/Misc and other driver subsystem updates for 6.9-rc1 2024-03-21 13:21:31 -07:00
memstick MMC core: 2024-03-13 10:59:28 -07:00
message
mfd TTY/Serial driver update for 6.9-rc1 2024-03-21 12:44:10 -07:00
misc mei: demote client disconnect warning on suspend to debug 2024-07-25 09:53:26 +02:00
mmc mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length 2024-07-18 13:22:51 +02:00
most
mtd mtd: rawnand: rockchip: ensure NVDDR timings are rejected 2024-07-11 12:51:19 +02:00
mux
net tap: add missing verification for short frame 2024-07-27 11:36:19 +02:00
nfc nfc/nci: Add the inconsistency check between the input data length and count 2024-07-11 12:51:23 +02:00
ntb
nubus
nvdimm libnvdimm updates for v6.9 2024-03-15 11:58:32 -07:00
nvme nvme: fix NVME_NS_DEAC may incorrectly identifying the disk as EXT_LBA. 2024-07-25 09:53:33 +02:00
nvmem nvmem: core: limit cell sysfs permissions to main attribute ones 2024-07-18 13:22:50 +02:00
of of/irq: Disable "interrupt-map" parsing for PASEMI Nemo 2024-07-25 09:53:41 +02:00
opp OPP: Fix required_opp_tables for multiple genpds using same table 2024-06-27 13:52:19 +02:00
parisc parisc: led: Convert to platform remove callback returning void 2024-03-08 10:00:07 +01:00
parport parport: amiga: Mark driver struct with __refdata to prevent section mismatch 2024-07-25 09:53:26 +02:00
pci PCI/MSI: Fix UAF in msi_capability_init 2024-07-05 09:38:12 +02:00
pcmcia pcmcia: cs: make pcmcia_socket_class constant 2024-03-10 09:07:00 +01:00
peci
perf drivers/perf: riscv: Reset the counter to hpmevent mapping while starting cpus 2024-07-25 09:53:39 +02:00
phy phy: qcom: qmp-combo: Switch from V6 to V6 N4 register offsets 2024-06-27 13:52:23 +02:00
pinctrl pinctrl: qcom: spmi-gpio: drop broken pm8008 support 2024-07-05 09:38:04 +02:00
platform platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB 2024-07-25 09:53:35 +02:00
pmdomain pmdomain: qcom: rpmhpd: Skip retention level for Power Domains 2024-07-18 13:22:51 +02:00
pnp PNP: Hide pnp_bus_type from the non-PNP code 2024-07-25 09:53:20 +02:00
power power: supply: cros_usbpd: provide ID table for avoiding fallback match 2024-06-27 13:52:16 +02:00
powercap powercap: intel_rapl: Convert to platform remove callback returning void 2024-03-13 20:45:54 +01:00
pps
ps3
ptp ptp: fix integer overflow in max_vclocks_store 2024-06-27 13:52:22 +02:00
pwm pwm: stm32: Fix error message to not describe the previous error path 2024-07-05 09:38:17 +02:00
rapidio
ras RAS/AMD/ATL: Use system settings for MI300 DRAM to normalized address translation 2024-06-21 14:40:28 +02:00
regulator regulator: bd71815: fix ramp values 2024-06-27 13:52:24 +02:00
remoteproc remoteproc: k3-r5: Jump to error handling labels in start/stop errors 2024-06-21 14:40:38 +02:00
reset reset: gpio: Fix missing gpiolib dependency for GPIO reset controller 2024-07-05 09:38:19 +02:00
rpmsg
rtc RTC for 6.9 2024-03-21 17:16:46 -07:00
s390 s390/sclp: Fix sclp_init() cleanup on failure 2024-07-25 09:53:34 +02:00
sbus This includes the following changes related to sparc for v6.9: 2024-03-15 12:47:21 -07:00
scsi scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed 2024-07-25 09:53:37 +02:00
sh
siox SIOX changes for 6.9-rc1 2024-03-21 15:18:18 -07:00
slimbus slimbus: qcom-ngd-ctrl: Add timeout for wait operation 2024-05-03 07:30:32 +02:00
soc soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message 2024-07-05 09:38:00 +02:00
soundwire soundwire: cadence: fix invalid PDI offset 2024-06-12 11:39:08 +02:00
spi spi: mux: set ctlr->bits_per_word_mask 2024-07-25 09:53:40 +02:00
spmi spmi: hisi-spmi-controller: Do not override device identifier 2024-06-21 14:40:33 +02:00
ssb ssb: Fix potential NULL pointer dereference in ssb_device_uevent() 2024-06-27 13:52:12 +02:00
staging greybus: arche-ctrl: move device table to its right location 2024-06-12 11:39:09 +02:00
target scsi: target: Fix SELinux error when systemd-modules loads the target module 2024-04-05 21:37:54 -04:00
tc
tee tee: optee: ffa: Fix missing-field-initializers warning 2024-07-25 09:53:37 +02:00
thermal thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data 2024-07-11 12:51:02 +02:00
thunderbolt thunderbolt: debugfs: Fix margin debugfs node creation condition 2024-06-21 14:40:13 +02:00
tty serial: imx: ensure RTS signal is not left active after shutdown 2024-07-18 13:22:50 +02:00
ufs scsi: ufs: core: Fix ufshcd_abort_one racing issue 2024-07-18 13:22:35 +02:00
uio hyperv-fixes for v6.9-rc4 2024-04-11 16:23:56 -07:00
usb usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup 2024-07-27 11:36:15 +02:00
vdpa vduse: Temporarily fail if control queue feature requested 2024-07-05 09:37:57 +02:00
vfio vfio/pci: Insert full vma on mmap'd MMIO fault 2024-07-25 09:53:27 +02:00
vhost vhost-scsi: Handle vhost_vq_work_queue failures for events 2024-07-11 12:51:21 +02:00
video fbdev: savage: Handle err return when savagefb_check_var failed 2024-06-16 13:51:01 +02:00
virt drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() 2024-05-30 09:44:58 +02:00
virtio virtio-pci: Check if is_avq is NULL 2024-07-11 12:51:07 +02:00
w1
watchdog watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin 2024-06-16 13:51:08 +02:00
xen drivers/xen: Improve the late XenStore init protocol 2024-06-12 11:39:43 +02:00
zorro
Kconfig
Makefile