joel16/android_kernel_sony_msm8994
1
0
Fork 0
mirror of https://github.com/joel16/android_kernel_sony_msm8994.git synced 2024-11-26 21:51:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
lineage-15.1
android_kernel_sony_msm8994/net/ipv6
History
Eric Dumazet b2f9d4f533
ipv6: fix out of bound writes in __ip6_append_data() 
Andrey Konovalov and idaifish@gmail.com reported crashes caused by
one skb shared_info being overwritten from __ip6_append_data()

Andrey program lead to following state :

copy -4200 datalen 2000 fraglen 2040
maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200

The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
fraggap, 0); is overwriting skb->head and skb_shared_info

Since we apparently detect this rare condition too late, move the
code earlier to even avoid allocating skb and risking crashes.

Once again, many thanks to Andrey and syzkaller team.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: <idaifish@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-16 22:44:42 +02:00
..
netfilter netfilter: x_tables: don't move to non-existent next rule 2017-09-13 17:36:29 +02:00
addrconf_core.c
addrconf.c ipv6: addrconf: validate new MTU before applying it 2017-06-11 22:35:36 -07:00
addrlabel.c
af_inet6.c net: add validation for the socket syscall protocol argument 2017-09-12 16:35:40 +02:00
ah6.c
anycast.c ipv6: clean up anycast when an interface is destroyed 2015-08-12 18:30:06 -07:00
datagram.c ipv6: add complete rcu protection around np->opt. 2016-09-27 08:35:56 -07:00
esp6.c
exthdrs_core.c
exthdrs_offload.c
exthdrs.c ipv6: add complete rcu protection around np->opt. 2016-09-27 08:35:56 -07:00
fib6_rules.c
icmp.c net: add a sysctl to reflect the fwmark on replies 2014-06-23 15:20:28 -07:00
inet6_connection_sock.c ipv6: add complete rcu protection around np->opt. 2016-09-27 08:35:56 -07:00
inet6_hashtables.c
ip6_checksum.c
ip6_fib.c ipv6: update ip6_rt_last_gc every time GC is run 2015-07-03 19:48:09 -07:00
ip6_flowlabel.c
ip6_gre.c ip6_gre: fix ip6gre_err() invalid reads 2017-09-16 17:19:42 +02:00
ip6_icmp.c
ip6_input.c
ip6_offload.c ipv6: Prevent overrun when parsing v6 header options 2017-09-16 18:12:38 +02:00
ip6_offload.h
ip6_output.c ipv6: fix out of bound writes in __ip6_append_data() 2017-09-16 22:44:42 +02:00
ip6_tunnel.c ip6_tunnel: Use ip6_tnl_dev_init as the ndo_init function. 2014-11-21 09:22:51 -08:00
ip6mr.c ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif 2015-08-12 18:30:13 -07:00
ipcomp6.c
ipv6_sockglue.c ipv6: add complete rcu protection around np->opt. 2016-09-27 08:35:56 -07:00
Kconfig
Makefile
mcast.c
mip6.c
ndisc.c This is the 3.10.84 stable release 2015-08-13 14:38:09 -07:00
netfilter.c
output_core.c ipv6: Prevent overrun when parsing v6 header options 2017-09-16 18:12:38 +02:00
ping.c net: ping: Return EAFNOSUPPORT when appropriate. 2015-08-12 18:30:41 -07:00
proc.c
protocol.c
raw.c net: add length argument to skb_copy_and_csum_datagram_iovec 2017-09-02 18:04:00 +02:00
reassembly.c
route.c This is the 3.10.84 stable release 2015-08-13 14:38:09 -07:00
sit.c sit: Fix ipip6_tunnel_lookup device matching criteria 2014-10-15 08:31:56 +02:00
syncookies.c ipv6: add complete rcu protection around np->opt. 2016-09-27 08:35:56 -07:00
sysctl_net_ipv6.c net: add a sysctl to reflect the fwmark on replies 2014-06-23 15:20:28 -07:00
tcp_ipv6.c ipv6/dccp: do not inherit ipv6_mc_list from parent 2017-09-16 22:43:28 +02:00
tcpv6_offload.c
tunnel6.c
udp_impl.h
udp_offload.c ipv6: Prevent overrun when parsing v6 header options 2017-09-16 18:12:38 +02:00
udp.c net: add length argument to skb_copy_and_csum_datagram_iovec 2017-09-02 18:04:00 +02:00
udplite.c
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c xfrm: Increase the garbage collector threshold 2015-07-03 19:48:09 -07:00
xfrm6_state.c
xfrm6_tunnel.c