From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Michael Scott <michael@opensourcefoundries.com>,
Marcel Holtmann <marcel@holtmann.org>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.4 10/43] 6lowpan: iphc: reset mac_header after decompress to fix panic
Date: Mon, 17 Sep 2018 03:04:54 +0000 [thread overview]
Message-ID: <20180917030445.484-10-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180917030445.484-1-alexander.levin@microsoft.com>
From: Michael Scott <michael@opensourcefoundries.com>
[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ]
After decompression of 6lowpan socket data, an IPv6 header is inserted
before the existing socket payload. After this, we reset the
network_header value of the skb to account for the difference in payload
size from prior to decompression + the addition of the IPv6 header.
However, we fail to reset the mac_header value.
Leaving the mac_header value untouched here, can cause a calculation
error in net/packet/af_packet.c packet_rcv() function when an
AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
interface.
On line 2088, the data pointer is moved backward by the value returned
from skb_mac_header(). If skb->data is adjusted so that it is before
the skb->head pointer (which can happen when an old value of mac_header
is left in place) the kernel generates a panic in net/core/skbuff.c
line 1717.
This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
sources for compression and decompression.
Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
Acked-by: Alexander Aring <aring@mojatatu.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
net/6lowpan/iphc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
index 346b5c1a9185..c40eb04dd856 100644
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -569,6 +569,7 @@ int lowpan_header_decompress(struct sk_buff *skb, const struct net_device *dev,
hdr.hop_limit, &hdr.daddr);
skb_push(skb, sizeof(hdr));
+ skb_reset_mac_header(skb);
skb_reset_network_header(skb);
skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));
--
2.17.1
next prev parent reply other threads:[~2018-09-17 8:32 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-17 3:04 [PATCH AUTOSEL 4.4 01/43] crypto: skcipher - Fix -Wstringop-truncation warnings Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 02/43] tsl2550: fix lux1_input error in low light Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 03/43] vmci: type promotion bug in qp_host_get_user_memory() Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 04/43] x86/numa_emulation: Fix emulated-to-physical node mapping Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 05/43] staging: rts5208: fix missing error check on call to rtsx_write_register Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 07/43] power: vexpress: fix corruption in notifier registration Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 06/43] uwb: hwa-rc: fix memory leak at probe Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 08/43] Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 Sasha Levin
2018-09-17 3:04 ` Sasha Levin [this message]
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 09/43] USB: serial: kobil_sct: fix modem-status error handling Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 11/43] md-cluster: clear another node's suspend_area after the copy is finished Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 12/43] media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 13/43] powerpc/kdump: Handle crashkernel memory reservation failure Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 15/43] x86/tsc: Add missing header to tsc_msr.c Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 14/43] media: fsl-viu: fix error handling in viu_of_probe() Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 16/43] x86/entry/64: Add two more instruction suffixes Sasha Levin
2018-09-17 3:04 ` [PATCH AUTOSEL 4.4 17/43] scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 18/43] scsi: klist: Make it safe to use klists in atomic context Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 19/43] scsi: ibmvscsi: Improve strings handling Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 20/43] usb: wusbcore: security: cast sizeof to int for comparison Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 22/43] alarmtimer: Prevent overflow for relative nanosleep Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 21/43] powerpc/powernv/ioda2: Reduce upper limit for DMA window size Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 23/43] s390/extmem: fix gcc 8 stringop-overflow warning Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 24/43] ALSA: snd-aoa: add of_node_put() in error path Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 25/43] media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 26/43] media: soc_camera: ov772x: correct setting of banding filter Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 27/43] media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 28/43] staging: android: ashmem: Fix mmap size validation Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 29/43] drivers/tty: add error handling for pcmcia_loop_config Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 31/43] ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 30/43] media: tm6000: add error handling for dvb_register_adapter Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 32/43] ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 33/43] rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 34/43] wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 35/43] ARM: mvebu: declare asm symbols as character arrays in pmsu.c Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 36/43] HID: hid-ntrig: add error handling for sysfs_create_group Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 38/43] audit: Fix extended comparison of GID/EGID Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 37/43] scsi: bnx2i: add error handling for ioremap_nocache Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 40/43] ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 39/43] EDAC, i7core: Fix memleaks and use-after-free on probe and remove Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 42/43] nfsd: fix corrupted reply to badly ordered compound Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 41/43] module: exclude SHN_UNDEF symbols from kallsyms api Sasha Levin
2018-09-17 3:05 ` [PATCH AUTOSEL 4.4 43/43] ARM: dts: dra7: fix DCAN node addresses Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180917030445.484-10-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=michael@opensourcefoundries.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).