From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Anssi Hannula <anssi.hannula@bitwise.fi>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <alexander.levin@verizon.com>
Subject: [PATCH 4.4 07/46] net: xilinx_emaclite: fix receive buffer overflow
Date: Thu, 15 Jun 2017 19:52:26 +0200 [thread overview]
Message-ID: <20170615175218.644342775@linuxfoundation.org> (raw)
In-Reply-To: <20170615175218.286057711@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anssi Hannula <anssi.hannula@bitwise.fi>
[ Upstream commit cd224553641848dd17800fe559e4ff5d208553e8 ]
xilinx_emaclite looks at the received data to try to determine the
Ethernet packet length but does not properly clamp it if
proto_type == ETH_P_IP or 1500 < proto_type <= 1518, causing a buffer
overflow and a panic via skb_panic() as the length exceeds the allocated
skb size.
Fix those cases.
Also add an additional unconditional check with WARN_ON() at the end.
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -379,7 +379,7 @@ static int xemaclite_send_data(struct ne
*
* Return: Total number of bytes received
*/
-static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data)
+static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data, int maxlen)
{
void __iomem *addr;
u16 length, proto_type;
@@ -419,7 +419,7 @@ static u16 xemaclite_recv_data(struct ne
/* Check if received ethernet frame is a raw ethernet frame
* or an IP packet or an ARP packet */
- if (proto_type > (ETH_FRAME_LEN + ETH_FCS_LEN)) {
+ if (proto_type > ETH_DATA_LEN) {
if (proto_type == ETH_P_IP) {
length = ((ntohl(xemaclite_readl(addr +
@@ -427,6 +427,7 @@ static u16 xemaclite_recv_data(struct ne
XEL_RXBUFF_OFFSET)) >>
XEL_HEADER_SHIFT) &
XEL_RPLR_LENGTH_MASK);
+ length = min_t(u16, length, ETH_DATA_LEN);
length += ETH_HLEN + ETH_FCS_LEN;
} else if (proto_type == ETH_P_ARP)
@@ -439,6 +440,9 @@ static u16 xemaclite_recv_data(struct ne
/* Use the length in the frame, plus the header and trailer */
length = proto_type + ETH_HLEN + ETH_FCS_LEN;
+ if (WARN_ON(length > maxlen))
+ length = maxlen;
+
/* Read from the EmacLite device */
xemaclite_aligned_read((u32 __force *) (addr + XEL_RXBUFF_OFFSET),
data, length);
@@ -613,7 +617,7 @@ static void xemaclite_rx_handler(struct
skb_reserve(skb, 2);
- len = xemaclite_recv_data(lp, (u8 *) skb->data);
+ len = xemaclite_recv_data(lp, (u8 *) skb->data, len);
if (!len) {
dev->stats.rx_errors++;
next prev parent reply other threads:[~2017-06-15 18:34 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 01/46] s390/vmem: fix identity mapping Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 02/46] partitions/msdos: FreeBSD UFS2 file systems are not recognized Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 03/46] ARM: dts: imx6dl: Fix the VDD_ARM_CAP voltage for 396MHz operation Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 04/46] staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 05/46] Call echo service immediately after socket reconnect Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 06/46] net: xilinx_emaclite: fix freezes due to unordered I/O Greg Kroah-Hartman
2017-06-15 17:52 ` Greg Kroah-Hartman [this message]
2017-06-15 17:52 ` [PATCH 4.4 08/46] ipv6: Handle IPv4-mapped src to in6addr_any dst Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 09/46] ipv6: Inhibit IPv4-mapped src address on the wire Greg Kroah-Hartman
2017-06-29 12:13 ` Ben Hutchings
2017-06-29 12:35 ` Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 10/46] NET: Fix /proc/net/arp for AX.25 Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 11/46] NET: mkiss: Fix panic Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 12/46] net: hns: Fix the device being used for dma mapping during TX Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 15/46] i2c: piix4: Fix request_region size Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 17/46] PM / runtime: Avoid false-positive warnings from might_sleep_if() Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 18/46] jump label: pass kbuild_cflags when checking for asm goto support Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 19/46] kasan: respect /proc/sys/kernel/traceoff_on_warning Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 20/46] log2: make order_base_2() behave correctly on const input value zero Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 21/46] ethtool: do not vzalloc(0) on registers dump Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 22/46] fscache: Fix dead object requeue Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 23/46] fscache: Clear outstanding writes when disabling a cookie Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 24/46] FS-Cache: Initialise stores_lock in netfs cookie Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 25/46] ipv6: fix flow labels when the traffic class is non-0 Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 26/46] drm/nouveau: prevent userspace from deleting client object Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 27/46] drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 28/46] net/mlx4_core: Avoid command timeouts during VF driver device shutdown Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 29/46] gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 30/46] pinctrl: berlin-bg4ct: fix the value for "sd1a" of pin SCRD0_CRD_PRES Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 31/46] net: adaptec: starfire: add checks for dma mapping errors Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 32/46] parisc, parport_gsc: Fixes for printk continuation lines Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 33/46] drm/nouveau: Dont enabling polling twice on runtime resume Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 34/46] drm/ast: Fixed system hanged if disable P2A Greg Kroah-Hartman
2017-06-29 13:45 ` Ben Hutchings
2017-07-03 7:27 ` Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 35/46] ravb: unmap descriptors when freeing rings Greg Kroah-Hartman
2017-06-29 13:58 ` Ben Hutchings
2017-07-03 12:52 ` Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 36/46] nfs: Fix "Dont increment lock sequence ID after NFS4ERR_MOVED" Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 37/46] r8152: re-schedule napi for tx Greg Kroah-Hartman
2017-06-29 14:23 ` Ben Hutchings
2017-06-15 17:52 ` [PATCH 4.4 38/46] r8152: fix rtl8152_post_reset function Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 39/46] r8152: avoid start_xmit to schedule napi when napi is disabled Greg Kroah-Hartman
2017-06-29 14:35 ` Ben Hutchings
2017-06-15 17:52 ` [PATCH 4.4 40/46] sctp: sctp_addr_id2transport should verify the addr before looking up assoc Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 41/46] romfs: use different way to generate fsid for BLOCK or MTD Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 42/46] proc: add a schedule point in proc_pid_readdir() Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 43/46] tipc: ignore requests when the connection state is not CONNECTED Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 44/46] xtensa: dont use linux IRQ #0 Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 45/46] s390/kvm: do not rely on the ILC on kvm host protection fauls Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 46/46] sparc64: make string buffers large enough Greg Kroah-Hartman
2017-06-15 22:24 ` [PATCH 4.4 00/46] 4.4.73-stable review Shuah Khan
2017-06-16 0:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170615175218.644342775@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@verizon.com \
--cc=anssi.hannula@bitwise.fi \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).