From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 29 May 2019 00:56:17 +0000 (-0700)
Subject: 4.14-stable patches
X-Git-Tag: v5.1.6~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b58ebd3a902bec872f67e42d6001bdd17a05db77;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	net-erspan-fix-use-after-free.patch
---

diff --git a/queue-4.14/net-erspan-fix-use-after-free.patch b/queue-4.14/net-erspan-fix-use-after-free.patch
new file mode 100644
index 00000000000..93bcaab76d1
--- /dev/null
+++ b/queue-4.14/net-erspan-fix-use-after-free.patch
@@ -0,0 +1,76 @@
+From b423d13c08a656c719fa56324a8f4279c835d90c Mon Sep 17 00:00:00 2001
+From: William Tu <u9012063@gmail.com>
+Date: Tue, 23 Jan 2018 17:01:29 -0800
+Subject: net: erspan: fix use-after-free
+
+From: William Tu <u9012063@gmail.com>
+
+commit b423d13c08a656c719fa56324a8f4279c835d90c upstream.
+
+When building the erspan header for either v1 or v2, the eth_hdr()
+does not point to the right inner packet's eth_hdr,
+causing kasan report use-after-free and slab-out-of-bouds read.
+
+The patch fixes the following syzkaller issues:
+[1] BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
+[2] BUG: KASAN: slab-out-of-bounds in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
+[3] BUG: KASAN: use-after-free in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
+[4] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
+
+[2] CPU: 0 PID: 3654 Comm: syzkaller377964 Not tainted 4.15.0-rc9+ #185
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x25b/0x340 mm/kasan/report.c:409
+ __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
+ erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
+ erspan_xmit+0x3b8/0x13b0 net/ipv4/ip_gre.c:740
+ __netdev_start_xmit include/linux/netdevice.h:4042 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4051 [inline]
+ packet_direct_xmit+0x315/0x6b0 net/packet/af_packet.c:266
+ packet_snd net/packet/af_packet.c:2943 [inline]
+ packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2968
+ sock_sendmsg_nosec net/socket.c:638 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:648
+ SYSC_sendto+0x361/0x5c0 net/socket.c:1729
+ SyS_sendto+0x40/0x50 net/socket.c:1697
+ do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
+ do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
+ entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129
+RIP: 0023:0xf7fcfc79
+RSP: 002b:00000000ffc6976c EFLAGS: 00000286 ORIG_RAX: 0000000000000171
+RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020011000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020008000
+RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: f551c91de262 ("net: erspan: introduce erspan v2 for ip_gre")
+Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
+Reported-by: syzbot+9723f2d288e49b492cf0@syzkaller.appspotmail.com
+Reported-by: syzbot+f0ddeb2b032a8e1d9098@syzkaller.appspotmail.com
+Reported-by: syzbot+f14b3703cd8d7670203f@syzkaller.appspotmail.com
+Reported-by: syzbot+eefa384efad8d7997f20@syzkaller.appspotmail.com
+Signed-off-by: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ip_gre.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -689,7 +689,7 @@ static void erspan_build_header(struct s
+ 				__be32 id, u32 index, bool truncate)
+ {
+ 	struct iphdr *iphdr = ip_hdr(skb);
+-	struct ethhdr *eth = eth_hdr(skb);
++	struct ethhdr *eth = (struct ethhdr *)skb->data;
+ 	enum erspan_encap_type enc_type;
+ 	struct erspanhdr *ershdr;
+ 	struct qtag_prefix {
diff --git a/queue-4.14/series b/queue-4.14/series
index c42309606a5..2096f903367 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -31,3 +31,4 @@ ssb-fix-possible-null-pointer-dereference-in-ssb_host_pcmcia_exit.patch
 bpf-devmap-fix-use-after-free-read-in-__dev_map_entry_free.patch
 batman-adv-mcast-fix-multicast-tt-tvlv-worker-locking.patch
 at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch
+net-erspan-fix-use-after-free.patch