mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-09 18:19:06 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Eric Dumazet 8c12bd91b5 tcp: fix TCP_REPAIR_QUEUE bound checking 
commit bf2acc943a upstream.

syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out()
with following C-repro :

socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
bind(3, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
sendto(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
	1242, MSG_FASTOPEN, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("127.0.0.1")}, 16) = 1242
setsockopt(3, SOL_TCP, TCP_REPAIR_WINDOW, "\4\0\0@+\205\0\0\377\377\0\0\377\377\377\177\0\0\0\0", 20) = 0
writev(3, [{"\270", 1}], 1)             = 1
setsockopt(3, SOL_TCP, TCP_REPAIR_OPTIONS, "\10\0\0\0\0\0\0\0\0\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 386) = 0
writev(3, [{"\210v\r[\226\320t\231qwQ\204\264l\254\t\1\20\245\214p\350H\223\254;\\\37\345\307p$"..., 3144}], 1) = 3144

The 3rd system call looks odd :
setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0

This patch makes sure bound checking is using an unsigned compare.

Fixes: ee9952831c ("tcp: Initial repair mode")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-16 10:10:24 +02:00
..
6lowpan License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
9p 9p/trans_virtio: discard zero-length reply 2018-02-22 15:42:30 +01:00
802 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
8021q vlan: also check phy_driver ts_info for vlan's real device 2018-04-12 12:32:24 +02:00
appletalk License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atm License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ax25 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-08-09 16:28:45 -07:00
bluetooth Bluetooth: Fix connection if directed advertising and privacy is used 2018-04-19 08:56:19 +02:00
bpf
bridge netfilter: ebtables: don't attempt to allocate 0-sized compat array 2018-05-16 10:10:22 +02:00
caif License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
can can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once 2018-01-23 19:58:17 +01:00
ceph libceph: validate con->state at the top of try_write() 2018-05-01 12:58:23 -07:00
core net: fix uninit-value in __hw_addr_add_ex() 2018-05-16 10:10:23 +02:00
dcb rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
dccp dccp: initialize ireq->ir_mark 2018-05-16 10:10:24 +02:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:07:52 +01:00
dns_resolver KEYS: DNS: limit the length of option strings 2018-04-29 11:33:10 +02:00
dsa net: dsa: Discard frames from unused ports 2018-04-24 09:36:39 +02:00
ethernet
hsr net/hsr: Check skb_put_padto() return value 2017-08-22 13:40:23 -07:00
ieee802154 ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() 2018-03-31 18:10:40 +02:00
ife net: sched: ife: check on metadata length 2018-04-29 11:33:13 +02:00
ipv4 tcp: fix TCP_REPAIR_QUEUE bound checking 2018-05-16 10:10:24 +02:00
ipv6 net: don't call update_pmtu unconditionally 2018-05-09 09:51:48 +02:00
ipx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iucv net/iucv: Free memory obtained by kzalloc 2018-03-31 18:10:41 +02:00
kcm kcm: Call strp_stop before strp_done in kcm_attach 2018-05-16 10:10:23 +02:00
key af_key: fix buffer overread in parse_exthdrs() 2018-01-23 19:58:12 +01:00
l2tp l2tp: check sockaddr length in pppol2tp_connect() 2018-04-29 11:33:11 +02:00
l3mdev
lapb net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
llc llc: fix NULL pointer deref for SOCK_ZAPPED 2018-04-29 11:33:13 +02:00
mac80211 mac80211: Fix setting TX power on monitor interfaces 2018-04-12 12:32:15 +02:00
mac802154 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mpls mpls, nospec: Sanitize array index in mpls_label_ok() 2018-02-22 15:42:28 +01:00
ncsi net/ncsi: Fix length of GVI response packet 2017-10-21 01:56:38 +01:00
netfilter ipvs: fix rtnl_lock lockups caused by start_sync_thread 2018-05-16 10:10:22 +02:00
netlabel License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netlink netlink: fix uninit-value in netlink_sendmsg 2018-05-16 10:10:23 +02:00
netrom net, netrom: convert nr_node.refcount from atomic_t to refcount_t 2017-07-04 22:35:17 +01:00
nfc NFC: fix device-allocation error return 2017-11-30 08:40:55 +00:00
nsh nsh: add GSO support 2017-08-29 15:16:52 -07:00
openvswitch openvswitch: Remove padding from packet before L3+ conntrack processing 2018-04-26 11:02:15 +02:00
packet packet: fix bitfield update race 2018-04-29 11:33:12 +02:00
phonet License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
psample MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
qrtr qrtr: Move to postcore_initcall 2017-11-08 14:32:18 +09:00
rds RDS: IB: Fix null pointer issue 2018-04-26 11:02:17 +02:00
rfkill
rose
rxrpc rxrpc: Don't put crypto buffers on the stack 2018-04-26 11:02:19 +02:00
sched net: sched: ife: handle malformed tlv length 2018-04-29 11:33:13 +02:00
sctp sctp: do not check port in sctp_inet6_cmp_addr 2018-04-29 11:33:12 +02:00
smc net/smc: fix shutdown in state SMC_LISTEN 2018-04-29 11:33:11 +02:00
strparser strparser: Fix incorrect strp->need_bytes value. 2018-04-29 11:33:13 +02:00
sunrpc SUNRPC: Don't call __UDPX_INC_STATS() from a preemptible context 2018-04-26 11:02:19 +02:00
switchdev net: switchdev: Remove bridge bypass support from switchdev 2017-08-07 14:48:48 -07:00
tipc tipc: add policy for TIPC_NLA_NET_ADDR 2018-04-29 11:33:12 +02:00
tls tls: reset crypto_info when do_tls_setsockopt_tx fails 2018-01-31 14:03:48 +01:00
unix License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
vmw_vsock VSOCK: fix outdated sk_state value in hvs_release() 2018-02-25 11:07:59 +01:00
wimax License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wireless nl80211: Check for the required netlink attribute presence 2018-03-03 10:24:34 +01:00
x25 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems 2018-04-08 14:26:29 +02:00
compat.c net: compat: assert the size of cmsg copied in is as expected 2017-09-20 15:36:18 -07:00
Kconfig net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros. 2017-09-04 13:25:20 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
socket.c kmemcheck: remove annotations 2018-02-22 15:42:23 +01:00
sysctl_net.c