linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-06 10:57:46 +00:00

No description

Find a file

Luca Coelho 6b524bc36a iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() [ Upstream commit `de1887c064` ] We don't check for the validity of the lengths in the packet received from the firmware. If the MPDU length received in the rx descriptor is too short to contain the header length and the crypt length together, we may end up trying to copy a negative number of bytes (headlen - hdrlen < 0) which will underflow and cause us to try to copy a huge amount of data. This causes oopses such as this one: BUG: unable to handle kernel paging request at ffff896be2970000 PGD 5e201067 P4D 5e201067 PUD 5e205067 PMD 16110d063 PTE 8000000162970161 Oops: 0003 [#1] PREEMPT SMP NOPTI CPU: 2 PID: 1824 Comm: irq/134-iwlwifi Not tainted 4.19.33-04308-geea41cf4930f #1 Hardware name: [...] RIP: 0010:memcpy_erms+0x6/0x10 Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe RSP: 0018:ffffa4630196fc60 EFLAGS: 00010287 RAX: ffff896be2924618 RBX: ffff896bc8ecc600 RCX: 00000000fffb4610 RDX: 00000000fffffff8 RSI: ffff896a835e2a38 RDI: ffff896be2970000 RBP: ffffa4630196fd30 R08: ffff896bc8ecc600 R09: ffff896a83597000 R10: ffff896bd6998400 R11: 000000000200407f R12: ffff896a83597050 R13: 00000000fffffff8 R14: 0000000000000010 R15: ffff896a83597038 FS: 0000000000000000(0000) GS:ffff896be8280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff896be2970000 CR3: 000000005dc12002 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: iwl_mvm_rx_mpdu_mq+0xb51/0x121b [iwlmvm] iwl_pcie_rx_handle+0x58c/0xa89 [iwlwifi] iwl_pcie_irq_rx_msix_handler+0xd9/0x12a [iwlwifi] irq_thread_fn+0x24/0x49 irq_thread+0xb0/0x122 kthread+0x138/0x140 ret_from_fork+0x1f/0x40 Fix that by checking the lengths for correctness and trigger a warning to show that we have received wrong data. Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2019-05-25 18:25:36 +02:00
arch	ftrace/x86_64: Emulate call function while updating in breakpoint handler	2019-05-25 18:25:24 +02:00
block	block: do not leak memory in bio_copy_user_iov()	2019-04-17 08:37:53 +02:00
certs	Replace magic for trusting the secondary keyring with #define	2018-09-09 19:55:54 +02:00
crypto	crypto: ccm - fix incompatibility between "ccm" and "ccm_base"	2019-05-21 18:50:20 +02:00
Documentation	x86/speculation/mds: Improve CPU buffer clear documentation	2019-05-21 18:50:13 +02:00
drivers	iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb()	2019-05-25 18:25:36 +02:00
firmware	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
fs	ceph: flush dirty inodes before proceeding with remount	2019-05-25 18:25:22 +02:00
include	PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum	2019-05-25 18:25:32 +02:00
init	init: initialize jump labels before command line option parsing	2019-05-16 19:42:23 +02:00
ipc	ipc/sem.c: prevent queue.status tearing in semop	2018-09-05 09:26:30 +02:00
kernel	tracing: Fix partial reading of trace event's id file	2019-05-25 18:25:24 +02:00
lib	iov_iter: optimize page_copy_sane()	2019-05-21 18:50:21 +02:00
mm	mm/mincore.c: make mincore() more conservative	2019-05-21 18:50:16 +02:00
net	mac80211: Fix kernel panic due to use of txq after free	2019-05-25 18:25:35 +02:00
samples	samples: mei: use /dev/mei0 instead of /dev/mei	2019-02-15 08:09:12 +01:00
scripts	kconfig/[mn]conf: handle backspace (^H) key	2019-05-04 09:15:22 +02:00
security	apparmorfs: fix use-after-free on symlink traversal	2019-05-25 18:25:35 +02:00
sound	ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug	2019-05-21 18:50:20 +02:00
tools	objtool: Allow AR to be overridden with HOSTAR	2019-05-25 18:25:26 +02:00
usr	initramfs: fix initramfs rebuilds w/ compression after disabling	2017-11-03 07:39:19 -07:00
virt	KVM: arm/arm64: Ensure vcpu target is unset on reset failure	2019-05-25 18:25:35 +02:00
.cocciconfig
.get_maintainer.ignore
.gitattributes	.gitattributes: set git diff driver for C source code files	2016-10-07 18:46:30 -07:00
.gitignore	kbuild: rpm-pkg: keep spec file until make mrproper	2018-02-13 10:19:46 +01:00
.mailmap	.mailmap: Add Maciej W. Rozycki's Imagination e-mail address	2017-11-10 12:16:15 -08:00
COPYING
CREDITS	MAINTAINERS: update TPM driver infrastructure changes	2017-11-09 17:58:40 -08:00
Kbuild	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
Kconfig	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
MAINTAINERS	MAINTAINERS: Add Sasha as a stable branch maintainer	2018-12-01 09:42:50 +01:00
Makefile	Linux 4.14.121	2019-05-21 18:50:21 +02:00
README	README: add a new README file, pointing to the Documentation/	2016-10-24 08:12:35 -02:00

README

Linux kernel
============

This file was moved to Documentation/admin-guide/README.rst

Please notice that there are several guides for kernel developers and users.
These guides can be rendered in a number of formats, like HTML and PDF.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.