linux/drivers
Kees Cook ce098da149 skbuff: Introduce slab_build_skb()
syzkaller reported:

  BUG: KASAN: slab-out-of-bounds in __build_skb_around+0x235/0x340 net/core/skbuff.c:294
  Write of size 32 at addr ffff88802aa172c0 by task syz-executor413/5295

For bpf_prog_test_run_skb(), which uses a kmalloc()ed buffer passed to
build_skb().

When build_skb() is passed a frag_size of 0, it means the buffer came
from kmalloc. In these cases, ksize() is used to find its actual size,
but since the allocation may not have been made to that size, actually
perform the krealloc() call so that all the associated buffer size
checking will be correctly notified (and use the "new" pointer so that
compiler hinting works correctly). Split this logic out into a new
interface, slab_build_skb(), but leave the original 0 checking for now
to catch any stragglers.

Reported-by: syzbot+fda18eaa8c12534ccb3b@syzkaller.appspotmail.com
Link: https://groups.google.com/g/syzkaller-bugs/c/UnIKxTtU5-0/m/-wbXinkgAQAJ
Fixes: 38931d8989 ("mm: Make ksize() a reporting-only function")
Cc: Pavel Begunkov <asml.silence@gmail.com>
Cc: pepsipu <soopthegoop@gmail.com>
Cc: syzbot+fda18eaa8c12534ccb3b@syzkaller.appspotmail.com
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: kasan-dev <kasan-dev@googlegroups.com>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: ast@kernel.org
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Hao Luo <haoluo@google.com>
Cc: Jesper Dangaard Brouer <hawk@kernel.org>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: jolsa@kernel.org
Cc: KP Singh <kpsingh@kernel.org>
Cc: martin.lau@linux.dev
Cc: Stanislav Fomichev <sdf@google.com>
Cc: song@kernel.org
Cc: Yonghong Song <yhs@fb.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221208060256.give.994-kees@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-12-09 19:47:41 -08:00
..
accessibility speakup: replace utils' u_char with unsigned char 2022-11-09 15:25:24 +01:00
acpi ACPI: HMAT: Fix initiator registration for single-initiator systems 2022-11-18 23:55:40 -08:00
amba
android binder: validate alloc->mm in ->mmap() handler 2022-11-09 15:41:27 +01:00
ata ata: libahci_platform: ahci_platform_find_clk: oops, NULL pointer 2022-12-07 08:36:37 +09:00
atm
auxdisplay
base ACPI and device properties fixes for 6.1-rc3 2022-10-28 16:48:29 -07:00
bcma bcma: Fail probe if GPIO subdriver fails 2022-11-04 12:59:51 +02:00
block block-6.1-2022-11-25 2022-11-25 17:50:57 -08:00
bluetooth Bluetooth: btusb: Add debug message for CSR controllers 2022-12-02 13:09:30 -08:00
bus bus: ixp4xx: Don't touch bit 7 on IXP42x 2022-11-22 23:12:18 +01:00
cdrom
char char: tpm: Protect tpm_pm_suspend with locks 2022-12-04 12:49:13 -08:00
clk clk: qcom: gcc-sc8280xp: add cxo as parent for three ufs ref clks 2022-11-22 18:27:07 -08:00
clocksource Revert "clocksource/drivers/riscv: Events are stopped during CPU suspend" 2022-12-01 12:05:29 +01:00
comedi comedi: convert sysfs snprintf to sysfs_emit 2022-09-09 10:37:52 +02:00
connector
counter counter: 104-quad-8: Fix race getting function mode and direction 2022-10-23 20:39:26 -04:00
cpufreq cpufreq: amd-pstate: add amd-pstate driver parameter for mode selection 2022-11-22 19:57:15 +01:00
cpuidle RISC-V Patches for the 6.1 Merge Window, Part 1 2022-10-09 13:24:01 -07:00
crypto net: devlink: let the core report the driver name instead of the drivers 2022-11-30 21:49:38 -08:00
cxl cxl/region: Recycle region ids 2022-11-04 16:03:43 -07:00
dax device-dax: Fix duplicate 'hmem' device registration 2022-11-21 15:34:40 -08:00
dca
devfreq PM / devfreq: rockchip-dfi: Fix an error message 2022-09-26 03:59:43 +09:00
dio
dma dmaengine: at_hdmac: Check return code of dma_async_device_register 2022-11-08 10:43:57 +05:30
dma-buf dma-buf: fix racing conflict of dma_heap_add() 2022-11-22 18:27:56 +05:30
edac Merge patch series "Use composable cache instead of L2 cache" 2022-10-13 11:07:13 -07:00
eisa
extcon extcon: usbc-tusb320: Call the Type-C IRQ handler only if a port is registered 2022-11-08 16:45:31 +01:00
firewire
firmware Char/Misc driver fixes for 6.1-rc6 2022-11-18 10:29:25 -08:00
fpga fpga: m10bmc-sec: Fix kconfig dependencies 2022-11-15 21:46:58 +08:00
fsi fsi: core: Check error number after calling ida_simple_get 2022-09-28 21:10:57 +09:30
gnss
gpio gpio/rockchip: fix refcount leak in rockchip_gpiolib_register() 2022-12-06 10:10:46 +01:00
gpu drm fixes for 6.1-rc8 2022-12-02 15:35:21 -08:00
greybus
hid for-linus-2022120801 2022-12-08 12:37:42 -08:00
hsi HSI: nokia-modem: Replace of_gpio_count() by gpiod_count() 2022-09-20 17:29:29 +02:00
hte
hv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-11-29 13:04:52 -08:00
hwmon hwmon: (asus-ec-sensors) Add checks for devm_kcalloc 2022-12-01 09:20:55 -08:00
hwspinlock hwspinlock: qcom: add support for MMIO on older SoCs 2022-09-13 17:01:18 -05:00
hwtracing coresight: cti: Fix hang in cti_disable_hw() 2022-10-25 19:08:07 +02:00
i2c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-12-08 18:19:59 -08:00
i3c i3c: master: Remove the wrong place of reattach. 2022-10-12 23:45:29 +02:00
idle intel_idle: Add AlderLake-N support 2022-09-21 20:33:49 +02:00
iio iio: adc: aspeed: Remove the trim valid dts property. 2022-11-14 20:20:08 +00:00
infiniband net/mlx5: Generalize name of UMR alignment definition 2022-11-29 21:09:43 -08:00
input Input updates for v6.1-rc7 2022-12-04 12:18:37 -08:00
interconnect Merge branch 'icc-ignore-return-val' into icc-next 2022-09-20 15:57:00 +03:00
iommu iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() 2022-12-02 11:45:33 +01:00
ipack Char/Misc and other driver changes for 6.1-rc1 2022-10-08 08:56:37 -07:00
irqchip Interrupt subsystem updates: 2022-10-12 10:23:24 -07:00
isdn mISDN: fix misuse of put_device() in mISDN_register_device() 2022-11-14 10:43:13 +00:00
leds leds: simatic-ipc-leds-gpio: fix incorrect LED to GPIO mapping 2022-10-24 11:32:10 +02:00
macintosh powerpc updates for 6.1 2022-10-09 14:05:15 -07:00
mailbox mailbox: qcom-ipcc: flag IRQ NO_THREAD 2022-10-05 21:51:58 -05:00
mcb
md block-6.1-2022-11-18 2022-11-18 13:59:45 -08:00
media media: videobuf2-core: take mmap_lock in vb2_get_unmapped_area() 2022-12-07 11:25:40 -08:00
memory Memory controller drivers for v6.1 - MediaTek 2022-09-12 17:04:15 +02:00
memstick
message
mfd Revert "mfd: syscon: Remove repetition of the regmap_get_val_endian()" 2022-10-23 12:04:56 -07:00
misc misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() 2022-11-09 15:40:03 +01:00
mmc mmc: sdhci-sprd: Fix no reset data and command after voltage switch 2022-12-01 11:28:39 +01:00
most
mtd mtd: onenand: omap2: add dependency on GPMC 2022-11-07 16:53:04 +01:00
mux
net skbuff: Introduce slab_build_skb() 2022-12-09 19:47:41 -08:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-11-29 13:04:52 -08:00
ntb
nubus
nvdimm libnvdimm for 6.1 2022-10-14 18:41:41 -07:00
nvme block-6.1-2022-12-02 2022-12-02 16:27:15 -08:00
nvmem nvmem: lan9662-otp: Change return type of lan9662_otp_wait_flag_clear() 2022-11-22 18:22:05 +01:00
of of: property: decrement node refcount in of_fwnode_get_reference_args() 2022-11-22 17:22:52 -06:00
opp
parisc parisc: Export iosapic_serial_irq() symbol for serial port driver 2022-10-27 09:12:05 +02:00
parport parport_pc: Avoid FIFO port location truncation 2022-11-09 15:40:32 +01:00
pci PCI: hv: Only reuse existing IRTE allocation for Multi-MSI 2022-11-12 12:43:59 +00:00
pcmcia pcmcia: remove AT91RM9200 Compact Flash driver 2022-09-27 08:12:16 +02:00
peci
perf arm64 fixes: 2022-10-14 12:38:03 -07:00
phy phy: ralink: mt7621-pci: add sentinel to quirks table 2022-11-05 13:01:25 +05:30
pinctrl pinctrl: intel: Save and restore pins in "direct IRQ" mode 2022-11-28 21:41:31 +01:00
platform platform-drivers-x86 for v6.1-5 2022-12-07 12:37:35 -08:00
pnp Merge branches 'acpi-apei', 'acpi-wakeup', 'acpi-reboot' and 'acpi-thermal' 2022-10-10 18:11:11 +02:00
power power: supply: ab8500: Defer thermal zone probe 2022-11-01 01:00:32 +01:00
powercap Scheduler changes for v6.1: 2022-10-10 09:10:28 -07:00
pps
ps3
ptp net: devlink: let the core report the driver name instead of the drivers 2022-11-30 21:49:38 -08:00
pwm pwm: Changes for v6.1-rc1 2022-10-07 11:32:10 -07:00
rapidio
ras
regulator regulator: Late fixes for v6.1 2022-11-25 13:54:48 -08:00
remoteproc remoteproc: virtio: Fix warning on bindings by removing the of_match_table 2022-10-05 09:20:44 -06:00
reset Here's the main clk pull request for this merge window. We have some 2022-10-08 10:06:48 -07:00
rpmsg rpmsg: char: Avoid double destroy of default endpoint 2022-09-21 11:21:33 -06:00
rtc rtc: cmos: fix build on non-ACPI platforms 2022-10-18 22:36:54 +02:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-12-08 18:19:59 -08:00
sbus
scsi hyperv-fixes for 6.1-rc7 2022-11-25 12:32:42 -08:00
sh
siox siox: fix possible memory leak in siox_device_add() 2022-11-09 15:40:14 +01:00
slimbus slimbus: qcom-ngd: Fix build error when CONFIG_SLIM_QCOM_NGD_CTRL=y && CONFIG_QCOM_RPROC_COMMON=m 2022-11-10 18:45:40 +01:00
soc soc: imx8m: Enable OCOTP clock before reading the register 2022-11-14 15:52:53 +08:00
soundwire soundwire: qcom: check for outanding writes before doing a read 2022-10-28 17:00:38 +05:30
spi spi: Fixes for v6.1 2022-11-23 11:19:06 -08:00
spmi spmi: pmic-arb: increase SPMI transaction timeout delay 2022-09-30 14:33:23 +02:00
ssb ssb: gpio: Use generic_handle_irq_safe() 2022-09-19 15:08:38 +02:00
staging Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-11-29 13:04:52 -08:00
target scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus() 2022-11-17 17:46:16 +00:00
tc
tee tee: optee: fix possible memory leak in optee_register_device() 2022-11-17 09:22:12 +01:00
thermal thermal: intel_powerclamp: Use first online CPU as control_cpu 2022-10-15 19:33:57 +02:00
thunderbolt treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
tty TTY/Serial driver fixes for 6.1-rc6 2022-11-18 10:59:52 -08:00
ufs scsi: ufs: core: Fix typo in comment 2022-10-22 03:29:32 +00:00
uio
usb usb: cdnsp: fix issue with ZLP - added TD_SIZE = 1 2022-11-22 16:52:05 +01:00
vdpa virtio: fixes, features 2022-10-10 14:02:53 -07:00
vfio vfio/pci: Check the device set open count on reset 2022-11-10 12:03:36 -07:00
vhost virtio: fixes, features 2022-10-10 14:02:53 -07:00
video Merge tag 'drm-misc-fixes-2022-11-24' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes 2022-11-25 09:21:11 +10:00
virt virt/sev-guest: Prevent IV reuse in the SNP guest driver 2022-11-21 11:03:40 +01:00
virtio virtio_pci: use irq to detect interrupt support 2022-10-13 09:33:03 -04:00
vlynq
w1 Char/Misc and other driver changes for 6.1-rc1 2022-10-08 08:56:37 -07:00
watchdog linux-watchdog 6.1-rc4 tag 2022-11-01 12:21:53 -07:00
xen xen: branch for v6.1-rc6 2022-11-16 10:49:06 -08:00
zorro
Kconfig
Makefile hwtracing: hisi_ptt: Add trace function support for HiSilicon PCIe Tune and Trace device 2022-09-08 16:26:17 -06:00