--- /dev/null
+From 6613b6173dee098997229caf1f3b961c49da75e6 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 17 Jul 2018 21:03:15 +0200
+Subject: netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 6613b6173dee098997229caf1f3b961c49da75e6 upstream.
+
+When first DCCP packet is SYNC or SYNCACK, we insert a new conntrack
+that has an un-initialized timeout value, i.e. such entry could be
+reaped at any time.
+
+Mark them as INVALID and only ignore SYNC/SYNCACK when connection had
+an old state.
+
+Reported-by: syzbot+6f18401420df260e37ed@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_dccp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_dccp.c
++++ b/net/netfilter/nf_conntrack_proto_dccp.c
+@@ -244,14 +244,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D
+ * We currently ignore Sync packets
+ *
+ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
+- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
+ },
+ [DCCP_PKT_SYNCACK] = {
+ /*
+ * We currently ignore SyncAck packets
+ *
+ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
+- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
+ },
+ },
+ [CT_DCCP_ROLE_SERVER] = {
+@@ -372,14 +372,14 @@ dccp_state_table[CT_DCCP_ROLE_MAX + 1][D
+ * We currently ignore Sync packets
+ *
+ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
+- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
+ },
+ [DCCP_PKT_SYNCACK] = {
+ /*
+ * We currently ignore SyncAck packets
+ *
+ * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
+- sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
++ sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
+ },
+ },
+ };
--- /dev/null
+From 4576cd469d980317c4edd9173f8b694aa71ea3a3 Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 6 Aug 2018 10:38:34 -0400
+Subject: packet: refine ring v3 block size test to hold one frame
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream.
+
+TPACKET_V3 stores variable length frames in fixed length blocks.
+Blocks must be able to store a block header, optional private space
+and at least one minimum sized frame.
+
+Frames, even for a zero snaplen packet, store metadata headers and
+optional reserved space.
+
+In the block size bounds check, ensure that the frame of the
+chosen configuration fits. This includes sockaddr_ll and optional
+tp_reserve.
+
+Syzbot was able to construct a ring with insuffient room for the
+sockaddr_ll in the header of a zero-length frame, triggering an
+out-of-bounds write in dev_parse_header.
+
+Convert the comparison to less than, as zero is a valid snap len.
+This matches the test for minimum tp_frame_size immediately below.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/packet/af_packet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3853,6 +3853,8 @@ static int packet_set_ring(struct sock *
+ }
+
+ if (req->tp_block_nr) {
++ unsigned int min_frame_size;
++
+ /* Sanity tests and some calculations */
+ err = -EBUSY;
+ if (unlikely(rb->pg_vec))
+@@ -3875,12 +3877,12 @@ static int packet_set_ring(struct sock *
+ goto out;
+ if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
+ goto out;
++ min_frame_size = po->tp_hdrlen + po->tp_reserve;
+ if (po->tp_version >= TPACKET_V3 &&
+- req->tp_block_size <=
+- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
++ req->tp_block_size <
++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + min_frame_size)
+ goto out;
+- if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+- po->tp_reserve))
++ if (unlikely(req->tp_frame_size < min_frame_size))
+ goto out;
+ if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
+ goto out;
net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch
tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch
staging-android-ion-check-for-kref-overflow.patch
+xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
+netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch
+packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch
--- /dev/null
+From 45c180bc29babbedd6b8c01b975780ef44d9d09c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 18 Jun 2018 21:35:07 -0700
+Subject: xfrm_user: prevent leaking 2 bytes of kernel memory
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.
+
+struct xfrm_userpolicy_type has two holes, so we should not
+use C99 style initializer.
+
+KMSAN report:
+
+BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
+BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
+ kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
+ kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
+ copyout lib/iov_iter.c:140 [inline]
+ _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+ copy_to_iter include/linux/uio.h:106 [inline]
+ skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
+ skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
+ netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
+ sock_recvmsg_nosec net/socket.c:802 [inline]
+ sock_recvmsg+0x1d6/0x230 net/socket.c:809
+ ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
+ __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
+ do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
+ __do_sys_recvmmsg net/socket.c:2485 [inline]
+ __se_sys_recvmmsg net/socket.c:2481 [inline]
+ __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x446ce9
+RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
+RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
+RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
+R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
+R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
+ kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
+ __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
+ __nla_put lib/nlattr.c:569 [inline]
+ nla_put+0x276/0x340 lib/nlattr.c:627
+ copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
+ dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+ xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
+ netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
+ __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
+ netlink_dump_start include/linux/netlink.h:214 [inline]
+ xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
+ netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
+ xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Local variable description: ----upt.i@dump_one_policy
+Variable was created at:
+ dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+
+Byte 130 of 137 is uninitialized
+Memory access starts at ffff88019550407f
+
+Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1597,9 +1597,11 @@ static inline size_t userpolicy_type_att
+ #ifdef CONFIG_XFRM_SUB_POLICY
+ static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
+ {
+- struct xfrm_userpolicy_type upt = {
+- .type = type,
+- };
++ struct xfrm_userpolicy_type upt;
++
++ /* Sadly there are two holes in struct xfrm_userpolicy_type */
++ memset(&upt, 0, sizeof(upt));
++ upt.type = type;
+
+ return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
