5.15-stable patches

added patches:
	ipv6-fix-signed-integer-overflow-in-__ip6_append_data.patch

diff --git a/queue-5.15/ipv6-fix-signed-integer-overflow-in-__ip6_append_data.patch b/queue-5.15/ipv6-fix-signed-integer-overflow-in-__ip6_append_data.patch
new file mode 100644 (file)
index 0000000..3120e6f
--- /dev/null
+++ b/queue-5.15/ipv6-fix-signed-integer-overflow-in-__ip6_append_data.patch
@@ -0,0 +1,111 @@
+From f93431c86b631bbca5614c66f966bf3ddb3c2803 Mon Sep 17 00:00:00 2001
+From: Wang Yufen <wangyufen@huawei.com>
+Date: Tue, 7 Jun 2022 20:00:27 +0800
+Subject: ipv6: Fix signed integer overflow in __ip6_append_data
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+commit f93431c86b631bbca5614c66f966bf3ddb3c2803 upstream.
+
+Resurrect ubsan overflow checks and ubsan report this warning,
+fix it by change the variable [length] type to size_t.
+
+UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19
+2147479552 + 8567 cannot be represented in type 'int'
+CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1
+Hardware name: linux,dummy-virt (DT)
+Call trace:
+  dump_backtrace+0x214/0x230
+  show_stack+0x30/0x78
+  dump_stack_lvl+0xf8/0x118
+  dump_stack+0x18/0x30
+  ubsan_epilogue+0x18/0x60
+  handle_overflow+0xd0/0xf0
+  __ubsan_handle_add_overflow+0x34/0x44
+  __ip6_append_data.isra.48+0x1598/0x1688
+  ip6_append_data+0x128/0x260
+  udpv6_sendmsg+0x680/0xdd0
+  inet6_sendmsg+0x54/0x90
+  sock_sendmsg+0x70/0x88
+  ____sys_sendmsg+0xe8/0x368
+  ___sys_sendmsg+0x98/0xe0
+  __sys_sendmmsg+0xf4/0x3b8
+  __arm64_sys_sendmmsg+0x34/0x48
+  invoke_syscall+0x64/0x160
+  el0_svc_common.constprop.4+0x124/0x300
+  do_el0_svc+0x44/0xc8
+  el0_svc+0x3c/0x1e8
+  el0t_64_sync_handler+0x88/0xb0
+  el0t_64_sync+0x16c/0x170
+
+Changes since v1:
+-Change the variable [length] type to unsigned, as Eric Dumazet suggested.
+Changes since v2:
+-Don't change exthdrlen type in ip6_make_skb, as Paolo Abeni suggested.
+Changes since v3:
+-Don't change ulen type in udpv6_sendmsg and l2tp_ip6_sendmsg, as
+Jakub Kicinski suggested.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Link: https://lore.kernel.org/r/20220607120028.845916-1-wangyufen@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[ Conflict due to f37a4cc6bb0b ("udp6: pass flow in ip6_make_skb
+  together with cork") not in the tree ]
+Signed-off-by: Abdelkareem Abdelsaamad <kareemem@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ipv6.h    |    4 ++--
+ net/ipv6/ip6_output.c |    6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -1000,7 +1000,7 @@ int ip6_find_1stfragopt(struct sk_buff *
+ int ip6_append_data(struct sock *sk,
+                   int getfrag(void *from, char *to, int offset, int len,
+                               int odd, struct sk_buff *skb),
+-                  void *from, int length, int transhdrlen,
++                  void *from, size_t length, int transhdrlen,
+                   struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
+                   struct rt6_info *rt, unsigned int flags);
+ 
+@@ -1016,7 +1016,7 @@ struct sk_buff *__ip6_make_skb(struct so
+ struct sk_buff *ip6_make_skb(struct sock *sk,
+                            int getfrag(void *from, char *to, int offset,
+                                        int len, int odd, struct sk_buff *skb),
+-                           void *from, int length, int transhdrlen,
++                           void *from, size_t length, int transhdrlen,
+                            struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
+                            struct rt6_info *rt, unsigned int flags,
+                            struct inet_cork_full *cork);
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1461,7 +1461,7 @@ static int __ip6_append_data(struct sock
+                            struct page_frag *pfrag,
+                            int getfrag(void *from, char *to, int offset,
+                                        int len, int odd, struct sk_buff *skb),
+-                           void *from, int length, int transhdrlen,
++                           void *from, size_t length, int transhdrlen,
+                            unsigned int flags, struct ipcm6_cookie *ipc6)
+ {
+       struct sk_buff *skb, *skb_prev = NULL;
+@@ -1806,7 +1806,7 @@ error:
+ int ip6_append_data(struct sock *sk,
+                   int getfrag(void *from, char *to, int offset, int len,
+                               int odd, struct sk_buff *skb),
+-                  void *from, int length, int transhdrlen,
++                  void *from, size_t length, int transhdrlen,
+                   struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
+                   struct rt6_info *rt, unsigned int flags)
+ {
+@@ -2000,7 +2000,7 @@ EXPORT_SYMBOL_GPL(ip6_flush_pending_fram
+ struct sk_buff *ip6_make_skb(struct sock *sk,
+                            int getfrag(void *from, char *to, int offset,
+                                        int len, int odd, struct sk_buff *skb),
+-                           void *from, int length, int transhdrlen,
++                           void *from, size_t length, int transhdrlen,
+                            struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
+                            struct rt6_info *rt, unsigned int flags,
+                            struct inet_cork_full *cork)

diff --git a/queue-5.15/series b/queue-5.15/series
index 038082ecb73b200deee52496015a316d86eaf018..c63f6b5382592194bdeb0caa4e06ae89f2923495 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -1,3 +1,4 @@
 vlan-fix-memory-leak-in-vlan_newlink.patch
 clockevents-drivers-i8253-fix-stop-sequence-for-timer-0.patch
 sched-isolation-prevent-boot-crash-when-the-boot-cpu-is-nohz_full.patch
+ipv6-fix-signed-integer-overflow-in-__ip6_append_data.patch