linux/net
Pavel Skripkin ad9d24c942 net: qrtr: fix OOB Read in qrtr_endpoint_post
Syzbot reported slab-out-of-bounds Read in
qrtr_endpoint_post. The problem was in wrong
_size_ type:

	if (len != ALIGN(size, 4) + hdrlen)
		goto err;

If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of
ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293
in header this check won't fail and

	skb_put_data(skb, data + hdrlen, size);

will read out of bound from data, which is hdrlen allocated block.

Fixes: 194ccc8829 ("net: qrtr: Support decoding incoming v2 packets")
Reported-and-tested-by: syzbot+1917d778024161609247@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-06-14 13:01:26 -07:00
..
6lowpan 6lowpan: Fix some typos in nhc_udp.c 2021-03-24 17:52:11 -07:00
9p net: 9p: Correct function names in the kerneldoc comments 2021-03-28 17:56:56 -07:00
802
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-26 12:00:00 -07:00
appletalk net: appletalk: fix the usage of preposition 2021-06-08 11:37:41 -07:00
atm net: atm: pppoatm: use new API for wakeup tasklet 2021-01-29 18:24:05 -08:00
ax25 net/ax25: Delete obsolete TODO file 2021-03-30 16:54:50 -07:00
batman-adv batman-adv: Avoid WARN_ON timing related checks 2021-05-18 21:10:01 +02:00
bluetooth Bluetooth: use correct lock to prevent UAF of hdev object 2021-05-31 14:33:26 +02:00
bpf bpf: selftests: Add kfunc_call test 2021-03-26 20:41:52 -07:00
bpfilter net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
bridge net: bridge: fix vlan tunnel dst refcnt when egressing 2021-06-10 14:06:43 -07:00
caif net: caif: fix memory leak in cfusbl_device_notify 2021-06-03 15:05:07 -07:00
can can: isotp: prevent race between isotp_bind() and isotp_setsockopt() 2021-05-12 08:52:47 +02:00
ceph Notable items here are a series to take advantage of David Howells' 2021-05-06 10:27:02 -07:00
core net: make get_net_ns return error if NET_NS is disabled 2021-06-12 13:13:08 -07:00
dcb net: dcb: use obj-$(CONFIG_DCB) form in net/Makefile 2021-01-27 17:03:52 -08:00
dccp net: dccp: use net_generic storage 2021-04-09 16:34:56 -07:00
decnet net/decnet: Delete obsolete TODO file 2021-03-30 16:54:50 -07:00
dns_resolver net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
dsa net: dsa: tag_8021q: fix the VLAN IDs used for encoding sub-VLANs 2021-06-01 15:02:05 -07:00
ethernet of: net: pass the dst buffer to of_get_mac_address() 2021-04-13 14:35:02 -07:00
ethtool ethtool: strset: fix message length calculation 2021-06-14 12:14:24 -07:00
hsr net: hsr: fix mac_len checks 2021-05-24 14:10:28 -07:00
ieee802154 ieee802154: fix error return code in ieee802154_llsec_getparams() 2021-06-03 10:59:49 +02:00
ife net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
ipv4 ipv4: Fix device used for dst_alloc with local routes 2021-06-14 12:30:53 -07:00
ipv6 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2021-06-10 14:33:56 -07:00
iucv iucv: af_iucv.c: Couple of typo fixes 2021-03-28 17:31:13 -07:00
kcm revert "net: kcm: fix memory leak in kcm_sendmsg" 2021-06-07 13:34:37 -07:00
key af_key: relax availability checks for skb size calculation 2021-01-04 10:05:50 +01:00
l2tp net: fix a concurrency bug in l2tp_tunnel_register() 2021-04-27 14:23:13 -07:00
l3mdev l3mdev: Correct function names in the kerneldoc comments 2021-03-28 17:56:55 -07:00
lapb net: lapb: Make "lapb_t1timer_running" able to detect an already running timer 2021-03-23 14:14:50 -07:00
llc llc2: Remove redundant assignment to rc 2021-04-27 14:16:14 -07:00
mac80211 mac80211: drop multicast fragments 2021-06-09 16:17:45 +02:00
mac802154 net: mac802154: Fix general protection fault 2021-04-06 22:42:16 +02:00
mpls mpls: Remove redundant assignment to err 2021-04-27 14:17:00 -07:00
mptcp mptcp: fix soft lookup in subflow_error_report() 2021-06-10 16:47:45 -07:00
ncsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-04-09 20:48:35 -07:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2021-06-10 14:33:56 -07:00
netlabel Networking changes for 5.13. 2021-04-29 11:57:23 -07:00
netlink netlink: disable IRQs for netlink_lock_table() 2021-05-17 15:31:03 -07:00
netrom net: netrom: nr_in: Remove redundant assignment to ns 2021-04-28 13:59:08 -07:00
nfc nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect 2021-05-31 22:43:27 -07:00
nsh
openvswitch openvswitch: meter: fix race when getting now_ms. 2021-05-13 15:54:59 -07:00
packet net/packet: annotate data race in packet_sendmsg() 2021-06-10 14:12:54 -07:00
phonet
psample psample: Add additional metadata attributes 2021-03-14 15:00:43 -07:00
qrtr net: qrtr: fix OOB Read in qrtr_endpoint_post 2021-06-14 13:01:26 -07:00
rds net: rds: fix memory leak in rds_recvmsg 2021-06-08 16:32:17 -07:00
rfkill Another set of updates, all over the map: 2021-04-20 16:44:04 -07:00
rose net: rose: Fix fall-through warnings for Clang 2021-03-10 12:45:15 -08:00
rxrpc Networking changes for 5.13. 2021-04-29 11:57:23 -07:00
sched sch_cake: revise docs for RFC 8622 LE PHB support 2021-06-14 12:10:57 -07:00
sctp sctp: fix the proc_handler for sysctl encap_port 2021-05-25 15:18:29 -07:00
smc Networking fixes for 5.13-rc4, including fixes from bpf, netfilter, 2021-05-26 17:44:49 -10:00
strparser
sunrpc NFS client updates for Linux 5.13 2021-05-07 11:23:41 -07:00
switchdev net: bridge: propagate extack through switchdev_port_attr_set 2021-02-14 17:38:11 -08:00
tipc tipc: simplify the finalize work queue 2021-05-18 13:22:09 -07:00
tls net/tls: Fix use-after-free after the TLS device goes down and up 2021-06-01 15:58:05 -07:00
unix af_unix: handle idmapped mounts 2021-01-24 14:27:18 +01:00
vmw_vsock vsock/vmci: Remove redundant assignment to err 2021-04-30 15:00:59 -07:00
wireless cfg80211: shut down interfaces on failed resume 2021-06-09 16:09:20 +02:00
x25 net/x25: Return the correct errno code 2021-06-03 15:13:56 -07:00
xdp xsk: Fix for xp_aligned_validate_desc() when len == chunk_size 2021-05-04 00:28:06 +02:00
xfrm xfrm: ipcomp: remove unnecessary get_cpu() 2021-04-19 12:49:29 +02:00
compat.c net: Return the correct errno code 2021-06-03 15:13:56 -07:00
devres.c
Kconfig bpf, kconfig: Add consolidated menu entry for bpf with core options 2021-05-11 13:56:16 -07:00
Makefile net: l3mdev: use obj-$(CONFIG_NET_L3_MASTER_DEV) form in net/Makefile 2021-01-27 17:03:52 -08:00
socket.c net: make get_net_ns return error if NET_NS is disabled 2021-06-12 13:13:08 -07:00
sysctl_net.c net: Ensure net namespace isolation of sysctls 2021-04-12 13:27:11 -07:00