leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
763716a55c
linux/include
History
王贇 b193e15ac6 net: prevent user from passing illegal stab size 
We observed below report when playing with netlink sock:

  UBSAN: shift-out-of-bounds in net/sched/sch_api.c:580:10
  shift exponent 249 is too large for 32-bit type
  CPU: 0 PID: 685 Comm: a.out Not tainted
  Call Trace:
   dump_stack_lvl+0x8d/0xcf
   ubsan_epilogue+0xa/0x4e
   __ubsan_handle_shift_out_of_bounds+0x161/0x182
   __qdisc_calculate_pkt_len+0xf0/0x190
   __dev_queue_xmit+0x2ed/0x15b0

it seems like kernel won't check the stab log value passing from
user, and will use the insane value later to calculate pkt_len.

This patch just add a check on the size/cell_log to avoid insane
calculation.

Reported-by: Abaci <abaci@linux.alibaba.com>
Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-09-26 11:09:07 +01:00
..
acpi Merge branches 'pm-cpufreq', 'pm-sleep' and 'pm-em' 2021-09-10 20:26:08 +02:00
asm-generic pci_iounmap'2: Electric Boogaloo: try to make sense of it all 2021-09-19 17:13:35 -07:00
clocksource
crypto
drm
dt-bindings linux-watchdog 5.15-rc1 tag 2021-09-07 13:52:46 -07:00
keys
kunit
kvm
linux Networking fixes for 5.15-rc3. 2021-09-23 10:30:31 -07:00
math-emu
media
memory
misc
net net: prevent user from passing illegal stab size 2021-09-26 11:09:07 +01:00
pcmcia
ras
rdma
scsi
soc
sound
target
trace AFS fixes 2021-09-20 15:49:02 -07:00
uapi 5 smb3client fixes: two deferred close fixes (for bugs found with xfstests 478 and 461) and a deferred close improvement in rename, and two trivial fixes for incorrect Linux comment formatting pointed out by automated tools 2021-09-20 15:30:29 -07:00
vdso
video
xen