From: Greg Kroah-Hartman Date: Tue, 27 Feb 2024 11:09:29 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v4.19.308~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f34ca847c4d5b1c51b02337ad72ce9bd0af6e139;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arp-prevent-overflow-in-arp_req_get.patch --- diff --git a/queue-6.1/arp-prevent-overflow-in-arp_req_get.patch b/queue-6.1/arp-prevent-overflow-in-arp_req_get.patch new file mode 100644 index 00000000000..6481982e9da --- /dev/null +++ b/queue-6.1/arp-prevent-overflow-in-arp_req_get.patch @@ -0,0 +1,96 @@ +From a7d6027790acea24446ddd6632d394096c0f4667 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Thu, 15 Feb 2024 15:05:16 -0800 +Subject: arp: Prevent overflow in arp_req_get(). + +From: Kuniyuki Iwashima + +commit a7d6027790acea24446ddd6632d394096c0f4667 upstream. + +syzkaller reported an overflown write in arp_req_get(). [0] + +When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour +entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. + +The arp_ha here is struct sockaddr, not struct sockaddr_storage, so +the sa_data buffer is just 14 bytes. + +In the splat below, 2 bytes are overflown to the next int field, +arp_flags. We initialise the field just after the memcpy(), so it's +not a problem. + +However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), +arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) +in arp_ioctl() before calling arp_req_get(). + +To avoid the overflow, let's limit the max length of memcpy(). + +Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible +array in struct sockaddr") just silenced syzkaller. + +[0]: +memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) +WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 +Modules linked in: +CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 +RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 +Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 +RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 +RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 +R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 +FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 + inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 + sock_do_ioctl+0xdf/0x260 net/socket.c:1204 + sock_ioctl+0x3ef/0x650 net/socket.c:1321 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x64/0xce +RIP: 0033:0x7f172b262b8d +Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d +RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 +RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 + + +Reported-by: syzkaller +Reported-by: Bjoern Doebel +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20240215230516.31330-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/arp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -1125,7 +1125,8 @@ static int arp_req_get(struct arpreq *r, + if (neigh) { + if (!(READ_ONCE(neigh->nud_state) & NUD_NOARP)) { + read_lock_bh(&neigh->lock); +- memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len); ++ memcpy(r->arp_ha.sa_data, neigh->ha, ++ min(dev->addr_len, (unsigned char)sizeof(r->arp_ha.sa_data_min))); + r->arp_flags = arp_state_to_flags(neigh); + read_unlock_bh(&neigh->lock); + r->arp_ha.sa_family = dev->type; diff --git a/queue-6.1/series b/queue-6.1/series index 647f260ccea..1214db29405 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -191,3 +191,4 @@ mptcp-userspace-pm-send-rm_addr-for-id-0.patch mptcp-add-needs_id-for-netlink-appending-addr.patch ata-ahci-add-identifiers-for-asm2116-series-adapters.patch ahci-extend-asm1061-43-bit-dma-address-quirk-to-other-asm106x-parts.patch +arp-prevent-overflow-in-arp_req_get.patch