mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-10 02:29:01 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Eric Dumazet 6816295fe9 ip_tunnel: better validate user provided tunnel names 
[ Upstream commit 9cb726a212 ]

Use dev_valid_name() to make sure user does not provide illegal
device name.

syzbot caught the following bug :

BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482

CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b9/0x29f lib/dump_stack.c:53
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x37/0x50 mm/kasan/kasan.c:303
 strlcpy include/linux/string.h:300 [inline]
 __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
 ip_tunnel_create net/ipv4/ip_tunnel.c:352 [inline]
 ip_tunnel_ioctl+0x818/0xd40 net/ipv4/ip_tunnel.c:861
 ipip_tunnel_ioctl+0x1c5/0x420 net/ipv4/ipip.c:350
 dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
 dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
 sock_ioctl+0x47e/0x680 net/socket.c:1015
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 SYSC_ioctl fs/ioctl.c:708 [inline]
 SyS_ioctl+0x24/0x30 fs/ioctl.c:706
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: c544193214 ("GRE: Refactor GRE tunneling code.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-04-12 12:32:25 +02:00
..
6lowpan License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
9p 9p/trans_virtio: discard zero-length reply 2018-02-22 15:42:30 +01:00
802 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
8021q vlan: also check phy_driver ts_info for vlan's real device 2018-04-12 12:32:24 +02:00
appletalk License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atm License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ax25 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
batman-adv
bluetooth Bluetooth: Fix missing encryption refresh on Security Request 2018-04-08 14:26:30 +02:00
bpf
bridge netfilter: bridge: ebt_among: add more missing match size checks 2018-04-08 14:26:29 +02:00
caif License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
can can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once 2018-01-23 19:58:17 +01:00
ceph libceph: don't WARN() if user tries to add invalid key 2017-11-30 08:40:45 +00:00
core net: fool proof dev_valid_name() 2018-04-12 12:32:25 +02:00
dcb
dccp dccp: check sk for closed state in dccp_sendmsg() 2018-03-31 18:10:40 +02:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:07:52 +01:00
dns_resolver
dsa net: dsa: return after vlan prepare phase 2017-11-11 15:45:09 +09:00
ethernet
hsr
ieee802154 ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() 2018-03-31 18:10:40 +02:00
ife MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
ipv4 ip_tunnel: better validate user provided tunnel names 2018-04-12 12:32:25 +02:00
ipv6 net/ipv6: Increment OUTxxx counters after netfilter hook 2018-04-12 12:32:23 +02:00
ipx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iucv net/iucv: Free memory obtained by kzalloc 2018-03-31 18:10:41 +02:00
kcm kcm: lock lower socket in kcm_attach 2018-03-31 18:10:40 +02:00
key af_key: fix buffer overread in parse_exthdrs() 2018-01-23 19:58:12 +01:00
l2tp l2tp: fix missing print session offset info 2018-04-12 12:32:12 +02:00
l3mdev
lapb
llc License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mac80211 mac80211: Fix setting TX power on monitor interfaces 2018-04-12 12:32:15 +02:00
mac802154 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mpls mpls, nospec: Sanitize array index in mpls_label_ok() 2018-02-22 15:42:28 +01:00
ncsi net/ncsi: Fix length of GVI response packet 2017-10-21 01:56:38 +01:00
netfilter netfilter: x_tables: add and use xt_check_proc_name 2018-04-08 14:26:29 +02:00
netlabel License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netlink netlink: make sure nladdr has correct size in netlink_connect() 2018-04-12 12:32:23 +02:00
netrom
nfc NFC: fix device-allocation error return 2017-11-30 08:40:55 +00:00
nsh
openvswitch openvswitch: fix the incorrect flow action alloc size 2018-02-03 17:39:03 +01:00
packet net/packet: fix a race in packet_bind() and packet_notifier() 2017-12-17 15:07:56 +01:00
phonet License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
psample MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
qrtr qrtr: Move to postcore_initcall 2017-11-08 14:32:18 +09:00
rds rds; Reset rs->rs_bound_addr in rds_add_bound() failure path 2018-04-12 12:32:12 +02:00
rfkill
rose
rxrpc rxrpc: Fix send in rxrpc_send_data_packet() 2018-03-08 22:41:12 -08:00
sched net/sched: fix NULL dereference in the error path of tcf_bpf_init() 2018-04-12 12:32:23 +02:00
sctp sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 2018-04-12 12:32:24 +02:00
smc net/smc: fix NULL pointer dereference on sock_create_kern() error path 2018-03-15 10:54:28 +01:00
strparser strparser: Use delayed work instead of timer for msg timeout 2017-10-25 10:37:11 +09:00
sunrpc xprtrdma: Fix BUG after a device removal 2018-02-22 15:42:29 +01:00
switchdev
tipc tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path 2018-03-03 10:24:30 +01:00
tls tls: reset crypto_info when do_tls_setsockopt_tx fails 2018-01-31 14:03:48 +01:00
unix License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
vmw_vsock VSOCK: fix outdated sk_state value in hvs_release() 2018-02-25 11:07:59 +01:00
wimax License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wireless nl80211: Check for the required netlink attribute presence 2018-03-03 10:24:34 +01:00
x25 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems 2018-04-08 14:26:29 +02:00
compat.c
Kconfig
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
socket.c kmemcheck: remove annotations 2018-02-22 15:42:23 +01:00
sysctl_net.c