From: Greg Kroah-Hartman Date: Thu, 24 Mar 2022 12:56:47 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.9.309~62 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba9302bf6b1a06080ce727496a921b035c600933;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch --- diff --git a/queue-5.4/net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch b/queue-5.4/net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch new file mode 100644 index 00000000000..4607670ffde --- /dev/null +++ b/queue-5.4/net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch @@ -0,0 +1,47 @@ +From 5e34af4142ffe68f01c8a9acae83300f8911e20c Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Thu, 10 Mar 2022 15:25:38 -0800 +Subject: net: ipv6: fix skb_over_panic in __ip6_append_data + +From: Tadeusz Struk + +commit 5e34af4142ffe68f01c8a9acae83300f8911e20c upstream. + +Syzbot found a kernel bug in the ipv6 stack: +LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580 +The reproducer triggers it by sending a crafted message via sendmmsg() +call, which triggers skb_over_panic, and crashes the kernel: + +skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575 +head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0 +dev: + +Update the check that prevents an invalid packet with MTU equal +to the fregment header size to eat up all the space for payload. + +The reproducer can be found here: +LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000 + +Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com +Signed-off-by: Tadeusz Struk +Acked-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20220310232538.1044947-1-tadeusz.struk@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1429,8 +1429,8 @@ static int __ip6_append_data(struct sock + sizeof(struct frag_hdr) : 0) + + rt->rt6i_nfheader_len; + +- if (mtu < fragheaderlen || +- ((mtu - fragheaderlen) & ~7) + fragheaderlen < sizeof(struct frag_hdr)) ++ if (mtu <= fragheaderlen || ++ ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr)) + goto emsgsize; + + maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - diff --git a/queue-5.4/series b/queue-5.4/series index 9b3910aaa24..c87e3e2380c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,3 +1,4 @@ nfsd-cleanup-nfsd_file_lru_dispose.patch nfsd-containerise-filecache-laundrette.patch nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch +net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch