4.14-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sun, 11 Oct 2020 08:38:57 +0000 (10:38 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sun, 11 Oct 2020 08:38:57 +0000 (10:38 +0200)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 11 Oct 2020 08:38:57 +0000 (10:38 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 11 Oct 2020 08:38:57 +0000 (10:38 +0200)
diff --git a/queue-4.14/macsec-avoid-use-after-free-in-macsec_handle_frame.patch b/queue-4.14/macsec-avoid-use-after-free-in-macsec_handle_frame.patch

new file mode 100644 (file)

index 0000000..fb085e2
--- /dev/null
+++ b/queue-4.14/macsec-avoid-use-after-free-in-macsec_handle_frame.patch
@@ -0,0 +1,45 @@
+From c7cc9200e9b4a2ac172e990ef1975cd42975dad6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 7 Oct 2020 01:42:46 -0700
+Subject: macsec: avoid use-after-free in macsec_handle_frame()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit c7cc9200e9b4a2ac172e990ef1975cd42975dad6 upstream.
+
+De-referencing skb after call to gro_cells_receive() is not allowed.
+We need to fetch skb->len earlier.
+
+Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/macsec.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1081,6 +1081,7 @@ static rx_handler_result_t macsec_handle
+       struct macsec_rx_sa *rx_sa;
+       struct macsec_rxh_data *rxd;
+       struct macsec_dev *macsec;
++      unsigned int len;
+       sci_t sci;
+       u32 pn;
+       bool cbit;
+@@ -1236,9 +1237,10 @@ deliver:
+       macsec_rxsc_put(rx_sc);
+ 
+       skb_orphan(skb);
++      len = skb->len;
+       ret = gro_cells_receive(&macsec->gro_cells, skb);
+       if (ret == NET_RX_SUCCESS)
+-              count_rx(dev, skb->len);
++              count_rx(dev, len);
+       else
+               macsec->secy.netdev->stats.rx_dropped++;
+ 
diff --git a/queue-4.14/series b/queue-4.14/series

index ee7a73bcccf42c85dade1e75e70f9d1d5072c726..0471773dbb25a88732f5c57c3be36ae110dd103f 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -42,3 +42,4 @@ perf-top-fix-stdio-interface-input-handling-with-glibc-2.28.patch
  mtd-rawnand-sunxi-fix-the-probe-error-path.patch
  btrfs-fix-unexpected-failure-of-nocow-buffered-writes-after-snapshotting-when-low-on-space.patch
  ftrace-move-rcu-is-watching-check-after-recursion-check.patch
+macsec-avoid-use-after-free-in-macsec_handle_frame.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 11 Oct 2020 08:38:57 +0000 (10:38 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 11 Oct 2020 08:38:57 +0000 (10:38 +0200)
queue-4.14/macsec-avoid-use-after-free-in-macsec_handle_frame.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/series		patch \| blob \| blame \| history