--- /dev/null
+From foo@baz Fri Sep 25 11:07:59 AM CEST 2020
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 9 Sep 2020 12:46:48 +0300
+Subject: hdlc_ppp: add range checks in ppp_cp_parse_cr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ]
+
+There are a couple bugs here:
+1) If opt[1] is zero then this results in a forever loop. If the value
+ is less than 2 then it is invalid.
+2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
+ result in memory corruption.
+
+In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
+of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
+"nak_len" gets out of sync and it can lead to memory corruption in the
+next iterations through the loop. In case of LCP_OPTION_MAGIC, the
+only valid value for opt[1] is 6, but the code is trying to log invalid
+data so we should only discard the data when "len" is less than 6
+because that leads to a read overflow.
+
+Reported-by: ChenNan Of Chaitin Security Research Lab <whutchennan@gmail.com>
+Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/hdlc_ppp.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wan/hdlc_ppp.c
++++ b/drivers/net/wan/hdlc_ppp.c
+@@ -386,11 +386,8 @@ static void ppp_cp_parse_cr(struct net_d
+ }
+
+ for (opt = data; len; len -= opt[1], opt += opt[1]) {
+- if (len < 2 || len < opt[1]) {
+- dev->stats.rx_errors++;
+- kfree(out);
+- return; /* bad packet, drop silently */
+- }
++ if (len < 2 || opt[1] < 2 || len < opt[1])
++ goto err_out;
+
+ if (pid == PID_LCP)
+ switch (opt[0]) {
+@@ -398,6 +395,8 @@ static void ppp_cp_parse_cr(struct net_d
+ continue; /* MRU always OK and > 1500 bytes? */
+
+ case LCP_OPTION_ACCM: /* async control character map */
++ if (opt[1] < sizeof(valid_accm))
++ goto err_out;
+ if (!memcmp(opt, valid_accm,
+ sizeof(valid_accm)))
+ continue;
+@@ -409,6 +408,8 @@ static void ppp_cp_parse_cr(struct net_d
+ }
+ break;
+ case LCP_OPTION_MAGIC:
++ if (len < 6)
++ goto err_out;
+ if (opt[1] != 6 || (!opt[2] && !opt[3] &&
+ !opt[4] && !opt[5]))
+ break; /* reject invalid magic number */
+@@ -427,6 +428,11 @@ static void ppp_cp_parse_cr(struct net_d
+ ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);
+
+ kfree(out);
++ return;
++
++err_out:
++ dev->stats.rx_errors++;
++ kfree(out);
+ }
+
+ static int ppp_rx(struct sk_buff *skb)
--- /dev/null
+From foo@baz Fri Sep 25 11:07:59 AM CEST 2020
+From: Wei Wang <weiwan@google.com>
+Date: Tue, 8 Sep 2020 14:09:34 -0700
+Subject: ip: fix tos reflection in ack and reset packets
+
+From: Wei Wang <weiwan@google.com>
+
+[ Upstream commit ba9e04a7ddf4f22a10e05bf9403db6b97743c7bf ]
+
+Currently, in tcp_v4_reqsk_send_ack() and tcp_v4_send_reset(), we
+echo the TOS value of the received packets in the response.
+However, we do not want to echo the lower 2 ECN bits in accordance
+with RFC 3168 6.1.5 robustness principles.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+
+Signed-off-by: Wei Wang <weiwan@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_output.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -73,6 +73,7 @@
+ #include <net/icmp.h>
+ #include <net/checksum.h>
+ #include <net/inetpeer.h>
++#include <net/inet_ecn.h>
+ #include <linux/igmp.h>
+ #include <linux/netfilter_ipv4.h>
+ #include <linux/netfilter_bridge.h>
+@@ -1597,7 +1598,7 @@ void ip_send_unicast_reply(struct sock *
+ if (IS_ERR(rt))
+ return;
+
+- inet_sk(sk)->tos = arg->tos;
++ inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK;
+
+ sk->sk_priority = skb->priority;
+ sk->sk_protocol = ip_hdr(skb)->protocol;
--- /dev/null
+From foo@baz Fri Sep 25 11:00:38 AM CEST 2020
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 9 Sep 2020 01:27:40 -0700
+Subject: net: add __must_check to skb_put_padto()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4a009cb04aeca0de60b73f37b102573354214b52 ]
+
+skb_put_padto() and __skb_put_padto() callers
+must check return values or risk use-after-free.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2651,7 +2651,7 @@ static inline int skb_padto(struct sk_bu
+ * is untouched. Otherwise it is extended. Returns zero on
+ * success. The skb is freed on error.
+ */
+-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len)
++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len)
+ {
+ unsigned int size = skb->len;
+
ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch
rdma-ucma-ucma_context-reference-leak-in-error-path.patch
mtd-fix-comparison-in-map_word_andequal.patch
+hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch
+tipc-use-skb_unshare-instead-in-tipc_buf_append.patch
+net-add-__must_check-to-skb_put_padto.patch
+ip-fix-tos-reflection-in-ack-and-reset-packets.patch
--- /dev/null
+From foo@baz Fri Sep 25 11:07:59 AM CEST 2020
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 13 Sep 2020 19:37:31 +0800
+Subject: tipc: use skb_unshare() instead in tipc_buf_append()
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit ff48b6222e65ebdba5a403ef1deba6214e749193 ]
+
+In tipc_buf_append() it may change skb's frag_list, and it causes
+problems when this skb is cloned. skb_unclone() doesn't really
+make this skb's flag_list available to change.
+
+Shuang Li has reported an use-after-free issue because of this
+when creating quite a few macvlan dev over the same dev, where
+the broadcast packets will be cloned and go up to the stack:
+
+ [ ] BUG: KASAN: use-after-free in pskb_expand_head+0x86d/0xea0
+ [ ] Call Trace:
+ [ ] dump_stack+0x7c/0xb0
+ [ ] print_address_description.constprop.7+0x1a/0x220
+ [ ] kasan_report.cold.10+0x37/0x7c
+ [ ] check_memory_region+0x183/0x1e0
+ [ ] pskb_expand_head+0x86d/0xea0
+ [ ] process_backlog+0x1df/0x660
+ [ ] net_rx_action+0x3b4/0xc90
+ [ ]
+ [ ] Allocated by task 1786:
+ [ ] kmem_cache_alloc+0xbf/0x220
+ [ ] skb_clone+0x10a/0x300
+ [ ] macvlan_broadcast+0x2f6/0x590 [macvlan]
+ [ ] macvlan_process_broadcast+0x37c/0x516 [macvlan]
+ [ ] process_one_work+0x66a/0x1060
+ [ ] worker_thread+0x87/0xb10
+ [ ]
+ [ ] Freed by task 3253:
+ [ ] kmem_cache_free+0x82/0x2a0
+ [ ] skb_release_data+0x2c3/0x6e0
+ [ ] kfree_skb+0x78/0x1d0
+ [ ] tipc_recvmsg+0x3be/0xa40 [tipc]
+
+So fix it by using skb_unshare() instead, which would create a new
+skb for the cloned frag and it'll be safe to change its frag_list.
+The similar things were also done in sctp_make_reassembled_event(),
+which is using skb_copy().
+
+Reported-by: Shuang Li <shuali@redhat.com>
+Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/msg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -138,7 +138,8 @@ int tipc_buf_append(struct sk_buff **hea
+ if (fragid == FIRST_FRAGMENT) {
+ if (unlikely(head))
+ goto err;
+- if (unlikely(skb_unclone(frag, GFP_ATOMIC)))
++ frag = skb_unshare(frag, GFP_ATOMIC);
++ if (unlikely(!frag))
+ goto err;
+ head = *headbuf = frag;
+ *buf = NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
