From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+f0cbb34d39392f2746ca@syzkaller.appspotmail.com,
Xin Long <lucien.xin@gmail.com>, Jakub Kicinski <kuba@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 13/66] sctp: properly validate chunk size in sctp_sf_ootb()
Date: Fri, 15 Nov 2024 07:37:22 +0100 [thread overview]
Message-ID: <20241115063723.321937404@linuxfoundation.org> (raw)
In-Reply-To: <20241115063722.834793938@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 0ead60804b64f5bd6999eec88e503c6a1a242d41 ]
A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add
size validation when walking chunks") is also required in sctp_sf_ootb()
to address a crash reported by syzbot:
BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233
Reported-by: syzbot+f0cbb34d39392f2746ca@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/a29ebb6d8b9f8affd0f9abb296faafafe10c17d8.1730223981.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 67df4022853ba..6b613569372a0 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3637,7 +3637,7 @@ enum sctp_disposition sctp_sf_ootb(struct net *net,
}
ch = (struct sctp_chunkhdr *)ch_end;
- } while (ch_end < skb_tail_pointer(skb));
+ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
if (ootb_shut_ack)
return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
--
2.43.0
next prev parent reply other threads:[~2024-11-15 6:44 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-15 6:37 [PATCH 5.4 00/66] 5.4.286-rc1 review Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 01/66] arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 02/66] arm64: dts: rockchip: Remove hdmis 2nd interrupt on rk3328 Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 03/66] arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 04/66] arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 05/66] ARM: dts: rockchip: fix rk3036 acodec node Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 06/66] ARM: dts: rockchip: drop grf reference from rk3036 hdmi Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 07/66] ARM: dts: rockchip: Fix the spi controller on rk3036 Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 08/66] ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 09/66] HID: core: zero-initialize the report buffer Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 10/66] security/keys: fix slab-out-of-bounds in key_task_permission Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 11/66] enetc: simplify the return expression of enetc_vf_set_mac_addr() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 12/66] net: enetc: set MAC address to the VF net_device Greg Kroah-Hartman
2024-11-15 6:37 ` Greg Kroah-Hartman [this message]
2024-11-15 6:37 ` [PATCH 5.4 14/66] can: c_can: fix {rx,tx}_errors statistics Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 15/66] net: hns3: fix kernel crash when uninstalling driver Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 16/66] media: stb0899_algo: initialize cfr before using it Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 17/66] media: dvbdev: prevent the risk of out of memory access Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 18/66] media: dvb_frontend: dont play tricks with underflow values Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 19/66] media: adv7604: prevent underflow condition when reporting colorspace Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 20/66] ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 21/66] media: s5p-jpeg: prevent buffer overflows Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 22/66] media: cx24116: prevent overflows on SNR calculus Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 23/66] media: v4l2-tpg: prevent the risk of a division by zero Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 24/66] pwm: imx-tpm: Use correct MODULO value for EPWM mode Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 25/66] drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 26/66] drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 27/66] dm cache: correct the number of origin blocks to match the target length Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 28/66] dm cache: fix out-of-bounds access to the dirty bitset when resizing Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 29/66] dm cache: optimize dirty bit checking with find_next_bit " Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 30/66] dm cache: fix potential out-of-bounds access on the first resume Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 31/66] dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 32/66] nfs: Fix KMSAN warning in decode_getfattr_attrs() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 33/66] btrfs: reinitialize delayed ref list after deleting it from the list Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 34/66] mtd: rawnand: protect access to rawnand devices while in suspend Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 35/66] spi: Fix deadlock when adding SPI controllers on SPI buses Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 36/66] spi: fix use-after-free of the add_lock mutex Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 37/66] net: bridge: xmit: make sure we have at least eth header len bytes Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 38/66] media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 39/66] fs/proc: fix compile warning about variable vmcore_mmap_ops Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 40/66] usb: musb: sunxi: Fix accessing an released usb phy Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 41/66] USB: serial: io_edgeport: fix use after free in debug printk Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 42/66] USB: serial: qcserial: add support for Sierra Wireless EM86xx Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 43/66] USB: serial: option: add Fibocom FG132 0x0112 composition Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 44/66] USB: serial: option: add Quectel RG650V Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 45/66] irqchip/gic-v3: Force propagation of the active state with a read-back Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 46/66] ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 47/66] ALSA: usb-audio: Support jack detection on Dell dock Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 48/66] ALSA: usb-audio: Add quirks for Dell WD19 dock Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 49/66] NFSD: Fix NFSv4s PUTPUBFH operation Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 5.4 50/66] ftrace: Fix possible use-after-free issue in ftrace_location() Greg Kroah-Hartman
2024-11-15 15:24 ` Steven Rostedt
2025-01-07 8:51 ` Koichiro Den
2025-01-07 16:14 ` Steven Rostedt
2025-01-08 2:35 ` Koichiro Den
2024-11-15 6:38 ` [PATCH 5.4 51/66] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 52/66] vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 53/66] ALSA: usb-audio: Add endianness annotations Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 54/66] 9p: Avoid creating multiple slab caches with the same name Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 55/66] HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 56/66] bpf: use kvzmalloc to allocate BPF verifier environment Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 57/66] sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 58/66] powerpc/powernv: Free name on error in opal_event_init() Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 59/66] fs: Fix uninitialized value issue in from_kuid and from_kgid Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 60/66] net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 61/66] md/raid10: improve code of mrdev in raid10_sync_request Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 62/66] mm: clarify a confusing comment for remap_pfn_range() Greg Kroah-Hartman
2024-11-15 7:00 ` Harshvardhan Jha
2024-11-15 8:28 ` Greg Kroah-Hartman
2024-11-15 8:33 ` Harshvardhan Jha
2024-11-15 9:21 ` Greg Kroah-Hartman
2024-11-15 9:36 ` Harshvardhan Jha
2024-11-15 6:38 ` [PATCH 5.4 63/66] mm: fix ambiguous comments for better code readability Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 64/66] mm/memory.c: make remap_pfn_range() reject unaligned addr Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 65/66] mm: add remap_pfn_range_notrack Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.4 66/66] 9p: fix slab cache name creation for real Greg Kroah-Hartman
2024-11-15 15:59 ` [PATCH 5.4 00/66] 5.4.286-rc1 review Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241115063723.321937404@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=lucien.xin@gmail.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+f0cbb34d39392f2746ca@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.