From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com,
Tadeusz Struk <tadeusz.struk@linaro.org>,
Willem de Bruijn <willemb@google.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 4.19 02/20] net: ipv6: fix skb_over_panic in __ip6_append_data
Date: Fri, 25 Mar 2022 16:04:40 +0100 [thread overview]
Message-ID: <20220325150417.082295724@linuxfoundation.org> (raw)
In-Reply-To: <20220325150417.010265747@linuxfoundation.org>
From: Tadeusz Struk <tadeusz.struk@linaro.org>
commit 5e34af4142ffe68f01c8a9acae83300f8911e20c upstream.
Syzbot found a kernel bug in the ipv6 stack:
LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580
The reproducer triggers it by sending a crafted message via sendmmsg()
call, which triggers skb_over_panic, and crashes the kernel:
skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575
head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0
dev:<NULL>
Update the check that prevents an invalid packet with MTU equal
to the fregment header size to eat up all the space for payload.
The reproducer can be found here:
LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000
Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Acked-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20220310232538.1044947-1-tadeusz.struk@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_output.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1325,8 +1325,8 @@ static int __ip6_append_data(struct sock
sizeof(struct frag_hdr) : 0) +
rt->rt6i_nfheader_len;
- if (mtu < fragheaderlen ||
- ((mtu - fragheaderlen) & ~7) + fragheaderlen < sizeof(struct frag_hdr))
+ if (mtu <= fragheaderlen ||
+ ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr))
goto emsgsize;
maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen -
next prev parent reply other threads:[~2022-03-25 15:09 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-25 15:04 [PATCH 4.19 00/20] 4.19.237-rc1 review Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 01/20] nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION Greg Kroah-Hartman
2022-06-02 16:12 ` Pavel Machek
2022-06-02 16:30 ` [External] : " Denis Efremov
2022-06-02 19:03 ` Denis Efremov
2022-03-25 15:04 ` Greg Kroah-Hartman [this message]
2022-03-25 15:04 ` [PATCH 4.19 03/20] esp: Fix possible buffer overflow in ESP transformation Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 04/20] staging: fbtft: fb_st7789v: reset display before initialization Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 05/20] thermal: int340x: fix memory leak in int3400_notify() Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 06/20] llc: fix netdevice reference leaks in llc_ui_bind() Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 07/20] ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 08/20] ALSA: oss: Fix PCM OSS buffer allocation overflow Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 09/20] ALSA: pcm: Add stream lock during PCM reset ioctl operations Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 10/20] ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 11/20] ALSA: cmipci: Restore aux vol on suspend/resume Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 12/20] ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 13/20] drivers: net: xgene: Fix regression in CRC stripping Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 14/20] netfilter: nf_tables: initialize registers in nft_do_chain() Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 15/20] ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 16/20] ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 17/20] ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 18/20] crypto: qat - disable registration of algorithms Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 19/20] mac80211: fix potential double free on mesh join Greg Kroah-Hartman
2022-03-25 15:04 ` [PATCH 4.19 20/20] nds32: fix access_ok() checks in get/put_user Greg Kroah-Hartman
2022-03-25 18:40 ` [PATCH 4.19 00/20] 4.19.237-rc1 review Pavel Machek
2022-03-25 23:25 ` Shuah Khan
2022-03-26 3:46 ` Samuel Zou
2022-03-26 14:04 ` Sudip Mukherjee
2022-03-26 14:24 ` Naresh Kamboju
2022-03-27 0:50 ` Guenter Roeck
2022-03-28 14:24 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220325150417.082295724@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com \
--cc=tadeusz.struk@linaro.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.