Select Git revision
Search by author
- Any Author
- authors
-
72162444 72162444 gaochangning
-
Aakash Dave aakash.dave
-
Aaron Kim akim
-
Aaron Kloc akloc
-
Aaron Lan aaron.lan
-
Aaron Nabil aaronna
-
Aaron Pohle aaron.pohle
-
Abbott Chung chung.abbott
-
Abdallah Omar abdallah_omar
-
Abdessamii Chalbi abdessamii.chalbi
-
Abdul Hussain Sirajudeen abdul.hussain
-
Abdullah Alghamdi a.alghamdi
-
Abdullah Elmarghany abdullah_elmarghany
-
Abel Fang abel_fang
-
Abel Vesa
abel.vesa
-
Abhijeet Badurkar abhijeet.badurkar
-
Abhijit Adsule adsule
-
Abhijit Murthy abhijit
-
Abhi Khanal akhanal
-
Abhilash Sahoo abhilashsahoo
- Jun 01, 2018
-
-
TeYuan Wang authored
Suspect device may have posibility to be blocked by lmh_read when resume, and we do not need to get the details about sensors which supported by LMH Lite, so remove lmh lite driver to avoid resume hang risk. Bug: 80022235 Test: Thermal-engine work properly Change-Id: I8d7052246aa9f2c8669132931dc91893c43d30cd Signed-off-by:TeYuan Wang <kamewang@google.com>
-
- May 10, 2018
-
-
Daniel Mentz authored
July 2018.1 Bug: 79365489 Change-Id: I5d8a5434e5d878f5c420bfc97c8805f94119a791 Signed-off-by:Daniel Mentz <danielmentz@google.com>
-
Mel Gorman authored
commit 65d8fc77 upstream. When dealing with key handling for shared futexes, we can drastically reduce the usage/need of the page lock. 1) For anonymous pages, the associated futex object is the mm_struct which does not require the page lock. 2) For inode based, keys, we can check under RCU read lock if the page mapping is still valid and take reference to the inode. This just leaves one rare race that requires the page lock in the slow path when examining the swapcache. Additionally realtime users currently have a problem with the page lock being contended for unbounded periods of time during futex operations. Task A get_futex_key() lock_page() ---> preempted Now any other task trying to lock that page will have to wait until task A gets scheduled back in, which is an unbound time. With this patch, we pretty much have a lockless futex_get_key(). Experiments show that this patch can boost/speedup the hashing of shared futexes with the perf futex benchmarks (which is good for measuring such change) by up to 45% when there are high (> 100) thread counts on a 60 core Westmere. Lower counts are pretty much in the noise range or less than 10%, but mid range can be seen at over 30% overall throughput (hash ops/sec). This makes anon-mem shared futexes much closer to its private counterpart. Signed-off-by:
Mel Gorman <mgorman@suse.de> [ Ported on top of thp refcount rework, changelog, comments, fixes. ] Signed-off-by:
Davidlohr Bueso <dbueso@suse.de> Reviewed-by:
Thomas Gleixner <tglx@linutronix.de> Cc: Chris Mason <clm@fb.com> Cc: Darren Hart <dvhart@linux.intel.com> Cc: Hugh Dickins <hughd@google.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mel Gorman <mgorman@techsingularity.net> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: dave@stgolabs.net Link: http://lkml.kernel.org/r/1455045314-8305-3-git-send-email-dave@stgolabs.net Signed-off-by:
Ingo Molnar <mingo@kernel.org> Signed-off-by:
Chenbo Feng <fengc@google.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 74250718 Change-Id: I4104985900c2f0ff7d7a5835c56fed15cf994f0e
-
Tanvi Aggarwal authored
Add conditional check when sending VIDIOC_MSM_OIS_CFG. Bug: 38258851 Change-Id: I095418b47409f5291e5c3fcfd227897022f77f71 CRs-Fixed:2078155 Signed-off-by:Tanvi Aggarwal <tanvia@codeaurora.org>
-
Johannes Thumshirn authored
If the list search in sg_get_rq_mark() fails to find a valid request, we return a bogus element. This then can later lead to a GPF in sg_remove_scat(). So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case the list search doesn't find a valid request. Bug: 79090045 Signed-off-by:
Johannes Thumshirn <jthumshirn@suse.de> Reported-by:
Andrey Konovalov <andreyknvl@google.com> Cc: Hannes Reinecke <hare@suse.de> Cc: Christoph Hellwig <hch@lst.de> Cc: Doug Gilbert <dgilbert@interlog.com> Reviewed-by:
Hannes Reinecke <hare@suse.de> Acked-by:
Doug Gilbert <dgilbert@interlog.com> Signed-off-by:
Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by:
-
Krzysztof Opasiak authored
commit aa65d11a upstream. When we unlock our spinlock to copy data to user we may get disabled by USB host and free the whole list of completed out requests including the one from which we are copying the data to user memory. To prevent from this let's remove our working element from the list and place it back only if there is sth left when we finish with it. Fixes: 99c51500 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT") Cc: stable@vger.kernel.org Tested-by:
David Lechner <david@lechnology.com> Bug: 74447444 Signed-off-by:
Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by:
Felipe Balbi <felipe.balbi@linux.intel.com> Cc: Jerry Zhang <zhangjerry@google.com> Signed-off-by:
-
Karthikeyan Mani authored
Check for debugfs ops buf size passed before reading to eliminate the possibility of reading out of bounds. Bug: 77528653 Change-Id: I28fd60ce93256b6b0bad62b449092a891cc15463 Signed-off-by:Karthikeyan Mani <kmani@codeaurora.org>
-
Guisen Yang authored
Currently, there is no check of: 1) Firmware event parameters in dbglog_parse_debug_logs(), which can result in integer underflow. 2) Number of dbg log args against the total length, which can result in buffer over-read. To fix this, compare size of firmware event parameters and number of dbg log args with total buffer length. Bug: 77528512 Change-Id: I981441ecf8e866afc00cf2e0e316779c8cc803c6 CRs-Fixed: 2205372 Signed-off-by:Ecco Park <eccopark@google.com>
-
Yu Wang authored
Check whether the data_len is valid, to avoid out-of-bounds reading issue. Bug: 77528805 Change-Id: If9fef306f455fcc1bd34d7aa713dd5c5535b8bfb CRs-Fixed: 2170392 Signed-off-by:Ahmed ElArabawy <arabawy@google.com>
-
Li Jinyue authored
commit fbe0e839 upstream. UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. Bug: 76106267 Signed-off-by:
Li Jinyue <lijinyue@huawei.com> Signed-off-by:
-
Mahesh Sivasubramanian authored
The list_for_each macro was not used correctly, where the intermediate variable would be LIST_POISON, resulting in a untrusted pointer dereference. Switch to using list_for_each_entry_safe to for safe removal of a list entry. Bug: 72956998 Change-Id: I0e0fd5dd9f251b5093d6e9d6335387512ec59249 Signed-off-by:Mahesh Sivasubramanian <msivasub@codeaurora.org>
-
Zhang Qian authored
Add sanity check for wmi TLV header length before padding/shrinking elements in a wmi which has a variable length for its TLV structure. Currently, the TLV length is not checked so its maximum value could be 65535 which results in a hugh count for elements. Number of elements is used to terminate the loop for padding/shrinking. If the number was too large, there would be memory overflow. CRs-Fixed: 2169157 Bug: 77527719 Change-Id: I99c700d62f8c0db84cbd95fc6efcb5249b89eb1d Signed-off-by: -
Badhri Jagan Sridharan authored
As the length datatype is signed, an attacker can both overflow the calculation or supply a negative number to trick the check into returning an chosen chunk. This can have undesired consequences. Always use unsigned integer types for length values. Bug: 63165135 Change-Id: Ifde2f0d35129014b976507f7723a319c53fabddf Acked-by:
Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com> Signed-off-by:
Tharun Kumar Merugu <mtharu@codeaurora.org>
-
Daniel Mentz authored
July 2018.1 Bug: 79365489 Change-Id: I7a185838556748ed03163beaf079c6327753e811 Signed-off-by:
-
- May 07, 2018
-
-
Stuart Scott authored
This reverts commit 2aabc328. Bug: 72957321 Bug: 79219092 Change-Id: Ia664b7fbf0c08807348d6948a5e18691b62f4f11 Signed-off-by:
Stuart Scott <stuartscott@google.com>
-
- Apr 16, 2018
-
-
Stuart Scott authored
June 2018.1 Bug: 76445910
-
tinlin authored
Add data_len check in wma_nan_rsp_event_handler() to avoid OOB access. Bug: 74237168 Change-Id: Iff42da84567381a4b64bc07e69ff1a0cd4b5a543 CRs-Fixed: 2170630
-
Chenglu Lin authored
Bug: 71363680 Change-Id: I1a07a74cae96b4548df4cb089e31485734149280 Signed-off-by:Chenglu Lin <chenglulin@android.com>
-
Hardik Arya authored
There a possibility of out-of-bound read because of not validating source buffer length against length that about to be copied. The patch adds proper check for validating length before copying data Bug: 70399602 CRs-Fixed: 2163793 Change-Id: I7c93839d0c4d83024ce23a0ce494d09dd08567a9 Signed-off-by:Hardik Arya <harya@codeaurora.org>
-
Zhang Qian authored
Fragment count will be larger than the upper limit of cvg_nbuf_cb->extra_flag.num which would lead to an overread of fragment length. Upper limit check for fragment count is added in this change. Change-Id: Icc078b2efee554ac84377b5edd90d0a5c7a61f98 CRs-Fixed: 2129566 Bug: 72957387 Signed-off-by: -
Tharun Kumar Merugu authored
Variable map may pointing to the same buffer on race conditions in functions fastrpc_internal_mmap and fastrpc_internal_munmap, use mutex to avoid race conditions on same buffer. Bug: 72957546 Change-Id: I96ed884c44a36f574677ba3ba189dfbf2ce3751d Acked-by:
Krishnaiah Tadakamalla <ktadakam@qti.qualcomm.com> Signed-off-by:
-
Tiger Yu authored
Check for the validity of tx_desc_id when received the htt message of HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer overwrite does not happen. Bug: 74237532 Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3 CRs-Fixed: 2157917 Signed-off-by: -
Alan Stern authored
commit 48a4ff1c upstream. A malicious USB device with crafted descriptors can cause the kernel to access unallocated memory by setting the bNumInterfaces value too high in a configuration descriptor. Although the value is adjusted during parsing, this adjustment is skipped in one of the error return paths. This patch prevents the problem by setting bNumInterfaces to 0 initially. The existing code already sets it to the proper value after parsing is complete. Bug: 71751622 Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Reported-by:
-
Sean Callanan authored
In the code, start_fetch can try to access the buffer pointer variable after free, as the same pointer can be freed at RELEASE_BUF call at the same time. CRs-Fixed: 2149998 Change-Id: Ic83f22336504cf67afe12131f791eee25477f011 Signed-off-by:
Meera Gande <mgande@codeaurora.org> Signed-off-by:
VijayaKumar T M <vtmuni@codeaurora.org> Bug: 69065862 Signed-off-by:
Sean Callanan <spyffe@google.com>
-
Himanshu Agarwal authored
Move NBUF_UPDATE_TX_PKT_COUNT in ol_tx_completion_handler to make sure that netbuf is not accessed after it is freed. Bug: 71638332 Change-Id: Ifba9de788b11ce8cb323827d10f8005029609231 CRs-fixed: 1040612 Signed-off-by: -
Tharun Kumar Merugu authored
Send context ID in rpc header instead of context pointer. Validate context ID received in response and get context pointer. Bug: 74237782 Change-Id: I9cfd10d0c1b25c3085b8e15c7ca1c8ff214bf10d Acked-by:
Viswanatham Paduchuri <vpaduchu@qti.qualcomm.com> Signed-off-by:
Steve Pfetsch <spfetsch@google.com>
-
c_mtharu authored
Validate context pointer using magic number instead of searching through context list. It removes the usage of spin lock in interrupt handler for avoiding deadlock and reducing latency. Bug: 74237782 Change-Id: I2492a7984a8d6545618a9cfb7a2d239d03ddd5a2 Acked-by:
-
Andrew Chant authored
when comparing a signed value vs sizeof, make sure it's >= 0 so that when promoted to signed for comparison it won't lead to unexpected results. Bug: 70528036 Change-Id: I99a1220598e67e3ce5c99d425e84c79639121838 Signed-off-by:Andrew Chant <achant@google.com>
-
Sreelakshmi Gownipalli authored
Add correct conditional check for len in dci_process_ctrl_status() to prevent buffer overflow. Bug: 70528036 Change-Id: Id73ed1c8b104428eceef0544ce2858160cc08fd2 Signed-off-by:Sreelakshmi Gownipalli <sgownipa@codeaurora.org>
-
Mark Salyzyn authored
The buffer length is unsigned at all layers, but gets cast to int and checked in hidp_process_report and can lead to a buffer overflow. Switch len parameter to unsigned int to resolve issue. Signed-off-by:Mark Salyzyn <salyzyn@google.com> Fixes: 678af93e46ac10318b54f2f0c9abbdfe75c4e078 ("HID: Bluetooth: hidp: make sure input buffers are big enough") Bug: 65853588 Change-Id: I779ce783ae7c3bce8c5a66c0954ef31347e42cfc
-
Carter Cooper authored
The user can pass bad data into kgsl_ioctl_gpuobj_sync(). If _copy_from_user() fails do to bad data, undo any current references taken through this ioctl call. Bug: 74237606 Change-Id: I56195520b9dadba20ee419658fc2cbb282b8449c Signed-off-by:
Carter Cooper <ccooper@codeaurora.org> Signed-off-by:
samit vats <svats@codeaurora.org>
-
Eric Biggers authored
commit 4dca6ea1 upstream. When the request_key() syscall is not passed a destination keyring, it links the requested key (if constructed) into the "default" request-key keyring. This should require Write permission to the keyring. However, there is actually no permission check. This can be abused to add keys to any keyring to which only Search permission is granted. This is because Search permission allows joining the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING) then will set the default request-key keyring to the session keyring. Then, request_key() can be used to add keys to the keyring. Both negatively and positively instantiated keys can be added using this method. Adding negative keys is trivial. Adding a positive key is a bit trickier. It requires that either /sbin/request-key positively instantiates the key, or that another thread adds the key to the process keyring at just the right time, such that request_key() misses it initially but then finds it in construct_alloc_key(). Fix this bug by checking for Write permission to the keyring in construct_get_dest_keyring() when the default keyring is being used. We don't do the permission check for non-default keyrings because that was already done by the earlier call to lookup_user_key(). Also, request_key_and_link() is currently passed a 'struct key *' rather than a key_ref_t, so the "possessed" bit is unavailable. We also don't do the permission check for the "requestor keyring", to continue to support the use case described by commit 8bbf4976 ("KEYS: Alter use of key instantiation link-to-keyring argument") where /sbin/request-key recursively calls request_key() to add keys to the original requestor's destination keyring. (I don't know of any users who actually do that, though...) Fixes: 3e30148c ("[PATCH] Keys: Make request-key create an authorisation key") Bug: 71751178 Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
David Howells <dhowells@redhat.com> Signed-off-by:
-
Eric Biggers authored
commit <af3ff804> upstream. Because the HMAC template didn't check that its underlying hash algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))" through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC being used without having been keyed, resulting in sha3_update() being called without sha3_init(), causing a stack buffer overflow. This is a very old bug, but it seems to have only started causing real problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3) because the innermost hash's state is ->import()ed from a zeroed buffer, and it just so happens that other hash algorithms are fine with that, but SHA-3 is not. However, there could be arch or hardware-dependent hash algorithms also affected; I couldn't test everything. Fix the bug by introducing a function crypto_shash_alg_has_setkey() which tests whether a shash algorithm is keyed. Then update the HMAC template to require that its underlying hash algorithm is unkeyed. Here is a reproducer: #include <linux/if_alg.h> #include <sys/socket.h> int main() { int algfd; struct sockaddr_alg addr = { .salg_type = "hash", .salg_name = "hmac(hmac(sha3-512-generic))", }; char key[4096] = { 0 }; algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); bind(algfd, (const struct sockaddr *)&addr, sizeof(addr)); setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); } Here was the KASAN report from syzbot: BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline] BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044 CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:341 [inline] sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 crypto_shash_update+0xcb/0x220 crypto/shash.c:109 shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151 crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 hmac_finup+0x182/0x330 crypto/hmac.c:152 crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172 crypto_shash_digest+0xc4/0x120 crypto/shash.c:186 hmac_setkey+0x36a/0x690 crypto/hmac.c:66 crypto_shash_setkey+0xad/0x190 crypto/shash.c:64 shash_async_setkey+0x47/0x60 crypto/shash.c:207 crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200 hash_setkey+0x40/0x90 crypto/algif_hash.c:446 alg_setkey crypto/af_alg.c:221 [inline] alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254 SYSC_setsockopt net/socket.c:1851 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1830 entry_SYSCALL_64_fastpath+0x1f/0x96 Reported-by:
syzbot <syzkaller@googlegroups.com> Bug: 71752561 Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
Liam Mark authored
Cleanup ION cache maintenance code to properly validate the target of userspace cache maintenance requests. Bug: 72957321 Change-Id: I55b8e3584c59634f95250bc7c0bce5d8d70e6a13 Signed-off-by:Liam Mark <lmark@codeaurora.org>
-
Eric Biggers authored
commit 2eb9eabf upstream. syzkaller with KASAN reported an out-of-bounds read in asn1_ber_decoder(). It can be reproduced by the following command, assuming CONFIG_X509_CERTIFICATE_PARSER=y and CONFIG_KASAN=y: keyctl add asymmetric desc $'\x30\x30' @s The bug is that the length of an ASN.1 data value isn't validated in the case where it is encoded using the short form, causing the decoder to read past the end of the input buffer. Fix it by validating the length. The bug report was: BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233 Read of size 1 at addr ffff88003cccfa02 by task syz-executor0/6818 CPU: 1 PID: 6818 Comm: syz-executor0 Not tainted 4.14.0-rc7-00008-g5f479447d983 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0xb3/0x10b lib/dump_stack.c:52 print_address_description+0x79/0x2a0 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x236/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427 asn1_ber_decoder+0x10cb/0x1730 lib/asn1_decoder.c:233 x509_cert_parse+0x1db/0x650 crypto/asymmetric_keys/x509_cert_parser.c:89 x509_key_preparse+0x64/0x7a0 crypto/asymmetric_keys/x509_public_key.c:174 asymmetric_key_preparse+0xcb/0x1a0 crypto/asymmetric_keys/asymmetric_type.c:388 key_create_or_update+0x347/0xb20 security/keys/key.c:855 SYSC_add_key security/keys/keyctl.c:122 [inline] SyS_add_key+0x1cd/0x340 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x447c89 RSP: 002b:00007fca7a5d3bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 00007fca7a5d46cc RCX: 0000000000447c89 RDX: 0000000020006f4a RSI: 0000000020006000 RDI: 0000000020001ff5 RBP: 0000000000000046 R08: fffffffffffffffd R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fca7a5d49c0 R15: 00007fca7a5d4700 Fixes: 42d5ec27 ("X.509: Add an ASN.1 decoder") Bug: 73827422 Signed-off-by:
James Morris <james.l.morris@oracle.com> Signed-off-by:
-
Hanumanth Reddy Pothula authored
FW memory dump feature is no longer used. Hence remove FW memory dump feature code changes. Change-Id: Ida655f83630c369df746e7c0c9d61a8fee2932a2 CRs-Fixed: 2120605 Bug: 65542521 Signed-off-by:Srinivas Girigowda <sgirigow@codeaurora.org>
-
Sean Callanan authored
The FASTRPC_IOCTL_INIT ioctl registers a pointer for later access without checking that it is a user pointer. This could allow arbitrary kernel memory access. This patch verifies that the pointer is a user pointer. Bug: 63165064 Change-Id: I936f73a2c2029f9e7ca12cc8fc06d0698e6710c0 Signed-off-by:
-
Vaishnavi Kommaraju authored
Add mutex lock to ensure atomic access to core handle in CPE alloc and dealloc sessions. CRs-Fixed: 2169403 Bug: 62536960 Signed-off-by:Vaishnavi Kommaraju <vkommara@codeaurora.org> Change-Id: Iaf95e462e6ec8bfa711013d2239140b51d897eff
-
Mike Maloney authored
[ Upstream commit 749439bf ] The logic in __ip6_append_data() assumes that the MTU is at least large enough for the headers. A device's MTU may be adjusted after being added while sendmsg() is processing data, resulting in __ip6_append_data() seeing any MTU. For an mtu smaller than the size of the fragmentation header, the math results in a negative 'maxfraglen', which causes problems when refragmenting any previous skb in the skb_write_queue, leaving it possibly malformed. Instead sendmsg returns EINVAL when the mtu is calculated to be less than IPV6_MIN_MTU. Found by syzkaller: kernel BUG at ./include/linux/skbuff.h:2064! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d0b68580 task.stack: ffff8801ac6b8000 RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline] RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216 RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000 RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0 RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000 R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8 R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000 FS: 00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip6_finish_skb include/net/ipv6.h:911 [inline] udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093 udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x352/0x5a0 net/socket.c:1750 SyS_sendto+0x40/0x50 net/socket.c:1718 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x4512e9 RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9 RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005 RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69 R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000 Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570 RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570 Reported-by:
Mike Maloney <maloney@google.com> Reviewed-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Eric Biggers authored
commit e0058f3a upstream. In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed to the action functions before their lengths had been computed, using the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH). This resulted in reading data past the end of the input buffer, when given a specially crafted message. Fix it by rearranging the code so that the indefinite length is resolved before the action is called. This bug was originally found by fuzzing the X.509 parser in userspace using libFuzzer from the LLVM project. KASAN report (cleaned up slightly): BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline] BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366 Read of size 128 at addr ffff880035dd9eaf by task keyctl/195 CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xd1/0x175 lib/dump_stack.c:53 print_address_description+0x78/0x260 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x23f/0x350 mm/kasan/report.c:409 memcpy+0x1f/0x50 mm/kasan/kasan.c:302 memcpy ./include/linux/string.h:341 [inline] x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366 asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447 x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89 x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174 asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388 key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850 SYSC_add_key security/keys/keyctl.c:122 [inline] SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0x96 Allocated by task 195: __do_kmalloc_node mm/slab.c:3675 [inline] __kmalloc_node+0x47/0x60 mm/slab.c:3682 kvmalloc ./include/linux/mm.h:540 [inline] SYSC_add_key security/keys/keyctl.c:104 [inline] SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0x96 Fixes: 42d5ec27 ("X.509: Add an ASN.1 decoder") Reported-by:
Alexander Potapenko <glider@google.com> Cc: <stable@vger.kernel.org> # v3.7+ Bug: 73827422 Signed-off-by:
-
