From 57cbceb801662a32b5d91a046ee8c3dd8fb1b68c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 9 Sep 2023 14:32:28 +0100
Subject: [PATCH] 5.10-stable patches

added patches:
	arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch
---
 ...p-checksum-code-for-negative-lengths.patch | 75 +++++++++++++++++++
 queue-5.10/series                             |  1 +
 2 files changed, 76 insertions(+)
 create mode 100644 queue-5.10/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch

diff --git a/queue-5.10/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch b/queue-5.10/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch
new file mode 100644
index 00000000000..3b18571031a
--- /dev/null
+++ b/queue-5.10/arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch
@@ -0,0 +1,75 @@
+From 8bd795fedb8450ecbef18eeadbd23ed8fc7630f5 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 7 Sep 2023 09:54:11 +0100
+Subject: arm64: csum: Fix OoB access in IP checksum code for negative lengths
+
+From: Will Deacon <will@kernel.org>
+
+commit 8bd795fedb8450ecbef18eeadbd23ed8fc7630f5 upstream.
+
+Although commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-length
+calls") added an early return for zero-length input, syzkaller has
+popped up with an example of a _negative_ length which causes an
+undefined shift and an out-of-bounds read:
+
+ | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39
+ | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975
+ |
+ | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0
+ | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
+ | Call trace:
+ |  dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
+ |  show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
+ |  __dump_stack lib/dump_stack.c:88 [inline]
+ |  dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
+ |  print_address_description mm/kasan/report.c:351 [inline]
+ |  print_report+0x174/0x514 mm/kasan/report.c:462
+ |  kasan_report+0xd4/0x130 mm/kasan/report.c:572
+ |  kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187
+ |  __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31
+ |  do_csum+0x44/0x254 arch/arm64/lib/csum.c:39
+ |  csum_partial+0x30/0x58 lib/checksum.c:128
+ |  gso_make_checksum include/linux/skbuff.h:4928 [inline]
+ |  __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332
+ |  udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47
+ |  ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119
+ |  skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141
+ |  __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401
+ |  skb_gso_segment include/linux/netdevice.h:4859 [inline]
+ |  validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659
+ |  validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709
+ |  sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327
+ |  __dev_xmit_skb net/core/dev.c:3805 [inline]
+ |  __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210
+ |  dev_queue_xmit include/linux/netdevice.h:3085 [inline]
+ |  packet_xmit+0x6c/0x318 net/packet/af_packet.c:276
+ |  packet_snd net/packet/af_packet.c:3081 [inline]
+ |  packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113
+ |  sock_sendmsg_nosec net/socket.c:724 [inline]
+ |  sock_sendmsg net/socket.c:747 [inline]
+ |  __sys_sendto+0x3b4/0x538 net/socket.c:2144
+
+Extend the early return to reject negative lengths as well, aligning our
+implementation with the generic code in lib/checksum.c
+
+Cc: Robin Murphy <robin.murphy@arm.com>
+Fixes: 5777eaed566a ("arm64: Implement optimised checksum routine")
+Reported-by: syzbot+4a9f9820bd8d302e22f7@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/000000000000e0e94c0603f8d213@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/lib/csum.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/lib/csum.c
++++ b/arch/arm64/lib/csum.c
+@@ -24,7 +24,7 @@ unsigned int __no_sanitize_address do_cs
+ 	const u64 *ptr;
+ 	u64 data, sum64 = 0;
+ 
+-	if (unlikely(len == 0))
++	if (unlikely(len <= 0))
+ 		return 0;
+ 
+ 	offset = (unsigned long)buff & 7;
diff --git a/queue-5.10/series b/queue-5.10/series
index 7a7fa359cad..5721d0c5558 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -283,3 +283,4 @@ backlight-gpio_backlight-compare-against-struct-fb_info.device.patch
 backlight-bd6107-compare-against-struct-fb_info.device.patch
 backlight-lv5207lp-compare-against-struct-fb_info.device.patch
 xtensa-pmu-fix-base-address-for-the-newer-hardware.patch
+arm64-csum-fix-oob-access-in-ip-checksum-code-for-negative-lengths.patch
-- 
2.47.3