leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bc4adf0eb72dbba8355fef3ef4451e4f72702c99
linux/net
History
Davide Caratti e7579d5d5b net: mptcp: cap forward allocation to 1M 
the following syzkaller reproducer:

 r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
 bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e24, @multicast2}, 0x10)
 connect$inet(r0, &(0x7f0000000480)={0x2, 0x4e24, @local}, 0x10)
 sendto$inet(r0, &(0x7f0000000100)="f6", 0xffffffe7, 0xc000, 0x0, 0x0)

systematically triggers the following warning:

 WARNING: CPU: 2 PID: 8618 at net/core/stream.c:208 sk_stream_kill_queues+0x3fa/0x580
 Modules linked in:
 CPU: 2 PID: 8618 Comm: syz-executor Not tainted 5.10.0+ #334
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/04
 RIP: 0010:sk_stream_kill_queues+0x3fa/0x580
 Code: df 48 c1 ea 03 0f b6 04 02 84 c0 74 04 3c 03 7e 40 8b ab 20 02 00 00 e9 64 ff ff ff e8 df f0 81 2
 RSP: 0018:ffffc9000290fcb0 EFLAGS: 00010293
 RAX: ffff888011cb8000 RBX: 0000000000000000 RCX: ffffffff86eecf0e
 RDX: 0000000000000000 RSI: ffffffff86eecf6a RDI: 0000000000000005
 RBP: 0000000000000e28 R08: ffff888011cb8000 R09: fffffbfff1f48139
 R10: ffffffff8fa409c7 R11: fffffbfff1f48138 R12: ffff8880215e6220
 R13: ffffffff8fa409c0 R14: ffffc9000290fd30 R15: 1ffff92000521fa2
 FS:  00007f41c78f4800(0000) GS:ffff88802d000000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f95c803d088 CR3: 0000000025ed2000 CR4: 00000000000006f0
 Call Trace:
  __mptcp_destroy_sock+0x4f5/0x8e0
   mptcp_close+0x5e2/0x7f0
  inet_release+0x12b/0x270
  __sock_release+0xc8/0x270
  sock_close+0x18/0x20
  __fput+0x272/0x8e0
  task_work_run+0xe0/0x1a0
  exit_to_user_mode_prepare+0x1df/0x200
  syscall_exit_to_user_mode+0x19/0x50
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

userspace programs provide arbitrarily high values of 'len' in sendmsg():
this is causing integer overflow of 'amount'. Cap forward allocation to 1
megabyte: higher values are not really useful.

Suggested-by: Paolo Abeni <pabeni@redhat.com>
Fixes: e93da92896 ("mptcp: implement wmem reservation")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Link: https://lore.kernel.org/r/3334d00d8b2faecafdfab9aa593efcbf61442756.1608584474.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-12-28 13:53:57 -08:00
..
6lowpan
9p
net: 9p: Fix kerneldoc warnings of missing parameters etc
2020-11-02 12:25:52 -08:00
802
8021q
appletalk
net: appletalk: fix kerneldoc warnings
2020-10-30 11:48:17 -07:00
atm
atm: nicstar: Replace in_interrupt() usage
2020-11-18 16:43:55 -08:00
ax25
batman-adv
batman-adv: Drop unused soft-interface.h include in fragmentation.c
2020-12-04 08:41:16 +01:00
bluetooth
Bluetooth: Increment management interface revision
2020-12-07 17:02:00 +02:00
bpf
bpfilter
Revert "bpfilter: Fix build error with CONFIG_BPFILTER_UMH"
2020-10-15 12:33:24 -07:00
bridge
net: bridge: Fix a warning when del bridge sysfs
2020-12-14 18:27:49 -08:00
caif
can
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2020-12-11 22:29:38 -08:00
ceph
Merge tag 'ceph-for-5.11-rc1' of git://github.com/ceph/ceph-client
2020-12-17 11:53:52 -08:00
core
net-sysfs: take the rtnl lock when accessing xps_rxqs_map and num_tc
2020-12-28 13:26:46 -08:00
dcb
net: dcb: Validate netlink message in DCB handler
2020-12-23 12:19:48 -08:00
dccp
Merge tag 'selinux-pr-20201214' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
2020-12-16 11:01:04 -08:00
decnet
treewide: rename nla_strlcpy to nla_strscpy.
2020-11-16 08:08:54 -08:00
dns_resolver
dsa
net: dsa: print the MTU value that could not be set
2020-12-08 11:24:07 -08:00
ethernet
net: datagram: fix some kernel-doc markups
2020-11-17 14:15:03 -08:00
ethtool
ethtool: fix error paths in ethnl_set_channels()
2020-12-16 13:27:17 -08:00
hsr
ieee802154
treewide: rename nla_strlcpy to nla_strscpy.
2020-11-16 08:08:54 -08:00
ife
ipv4
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
2020-12-18 18:07:14 -08:00
ipv6
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
2020-12-18 18:07:14 -08:00
iucv
net/af_iucv: use DECLARE_SOCKADDR to cast from sockaddr
2020-12-08 15:56:53 -08:00
kcm
key
l2tp
lsm,selinux: pass flowi_common instead of flowi to the LSM hooks
2020-11-23 18:36:21 -05:00
l3mdev
net: l3mdev: Fix kerneldoc warning
2020-10-30 11:43:42 -07:00
lapb
net/lapb: fix t1 timer handling for LAPB_STATE_0
2020-11-27 17:22:51 -08:00
llc
net: llc: Fix kerneldoc warnings
2020-10-30 11:34:09 -07:00
mac80211
Merge tag 'mac80211-next-for-net-next-2020-12-11' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next
2020-12-12 10:07:56 -08:00
mac802154
net: mac802154: convert tasklets to use new tasklet_setup() API
2020-11-07 10:40:56 -08:00
mpls
mpls: drop skb's dst in mpls_forward()
2020-11-03 12:55:53 -08:00
mptcp
net: mptcp: cap forward allocation to 1M
2020-12-28 13:53:57 -08:00
ncsi
net/ncsi: Use real net-device for response handler
2020-12-23 12:22:23 -08:00
netfilter
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
2020-12-18 18:07:14 -08:00
netlabel
Merge https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2020-11-19 19:08:46 -08:00
netlink
netlink: export policy in extended ACK
2020-10-09 20:22:32 -07:00
netrom
nfc
net: sched: fix spelling mistake in Kconfig "trys" -> "tries"
2020-12-08 16:01:56 -08:00
nsh
openvswitch
net: openvswitch: fix TTL decrement exception action execution
2020-12-14 17:18:25 -08:00
packet
net: af_packet: fix procfs header for 64-bit pointers
2020-12-18 12:17:23 -08:00
phonet
psample
qrtr
Merge tag 'wireless-drivers-next-2020-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
2020-12-04 10:56:37 -08:00
rds
rds: stop using dmapool
2020-11-17 15:22:06 -04:00
rfkill
rfkill: add a reason to the HW rfkill state
2020-12-11 12:47:17 +01:00
rose
rose: Fix Null pointer dereference in rose_send_frame()
2020-11-20 10:04:58 -08:00
rxrpc
net: rxrpc: convert comma to semicolon
2020-12-09 16:23:07 -08:00
sched
net/sched: sch_taprio: ensure to reset/destroy all child qdiscs
2020-12-18 16:43:29 -08:00
sctp
sctp: Fix some typo
2020-11-23 17:44:11 -08:00
smc
net/smc: fix access to parent of an ib device
2020-12-16 13:33:47 -08:00
strparser
sunrpc
Merge tag 'nfs-for-5.11-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
2020-12-17 12:15:03 -08:00
switchdev
tipc
tipc: do sanity check payload of a netlink message
2020-12-16 12:45:02 -08:00
tls
net: fix proc_fs init handling in af_packet and tls
2020-12-14 19:39:30 -08:00
unix
Merge tag 'net-next-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2020-10-15 18:42:13 -07:00
vmw_vsock
af_vsock: Assign the vsock transport considering the vsock address flags
2020-12-14 19:33:39 -08:00
wireless
Merge tag 'mac80211-next-for-net-next-2020-12-11' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next
2020-12-12 10:07:56 -08:00
x25
net: x25: Remove unimplemented X.25-over-LLC code stubs
2020-12-12 17:15:33 -08:00
xdp
Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
2020-12-14 15:34:36 -08:00
xfrm
Merge tag 'selinux-pr-20201214' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
2020-12-16 11:01:04 -08:00
compat.c
devres.c
Kconfig
wimax: move out to staging
2020-10-29 19:27:45 +01:00
Makefile
wimax: move out to staging
2020-10-29 19:27:45 +01:00
socket.c
Merge tag 'for-5.11/io_uring-2020-12-14' of git://git.kernel.dk/linux-block
2020-12-16 12:44:05 -08:00
sysctl_net.c