android_kernel_samsung_sm8650/net at a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 - android_kernel_samsung_sm8650 - Gitea: Git with a cup of tea

android/android_kernel_samsung_sm8650

History

Xin Long a1a7e3a36e xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire

Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be
out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by
syz:

  BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430
  Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650

  Call Trace:
   dump_stack+0xe8/0x16e
   print_address_description.cold.3+0x9/0x23b
   kasan_report.cold.4+0x64/0x95
   memcpy+0x1f/0x50
   selinux_xfrm_alloc_user+0x237/0x430
   security_xfrm_policy_alloc+0x5c/0xb0
   xfrm_policy_construct+0x2b1/0x650
   xfrm_add_acquire+0x21d/0xa10
   xfrm_user_rcv_msg+0x431/0x6f0
   netlink_rcv_skb+0x15a/0x410
   xfrm_netlink_rcv+0x6d/0x90
   netlink_unicast+0x50e/0x6a0
   netlink_sendmsg+0x8ae/0xd40
   sock_sendmsg+0x133/0x170
   ___sys_sendmsg+0x834/0x9a0
   __sys_sendmsg+0x100/0x1e0
   do_syscall_64+0xe5/0x660
   entry_SYSCALL_64_after_hwframe+0x6a/0xdf

So fix it by adding the missing verify_sec_ctx_len check there.

Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

2020-02-12 11:06:32 +01:00

..

6lowpan: no need to check return value of debugfs_create functions

2019-07-06 12:50:01 +02:00

9p pull request for inclusion in 5.4

2019-09-27 15:10:34 -07:00

treewide: Use sizeof_field() macro

2019-12-09 10:36:44 -08:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2020-01-09 12:13:43 -08:00

appletalk: enforce CAP_NET_RAW for raw sockets

2019-09-24 16:37:18 +02:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2020-01-26 10:40:21 +01:00

net: Make sock protocol value checks more specific

2020-01-09 18:41:40 -08:00

Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net

2020-01-19 22:10:04 +01:00

Bluetooth: Fix race condition in hci_release_sock()

2020-01-26 10:34:17 +02:00

bpf: Allow to change skb mark in test_run

2019-12-18 17:05:58 -08:00

Kbuild updates for v5.3

2019-07-12 16:03:16 -07:00

net: bridge: vlan: add per-vlan state

2020-01-24 12:58:14 +01:00

caif_usb: fix spelling mistake "to" -> "too"

2020-01-24 08:12:06 +01:00

can: j1939: j1939_sk_bind(): take priv after lock is held

2019-12-08 11:52:02 +01:00

libceph, rbd, ceph: convert to use the new mount API

2019-11-27 22:28:37 +01:00

net/core: Do not clear VF index for node/port GUIDs query

2020-01-30 15:20:26 +01:00

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201

2019-05-30 11:29:52 -07:00

treewide: Use sizeof_field() macro

2019-12-09 10:36:44 -08:00

net: Make sock protocol value checks more specific

2020-01-09 18:41:40 -08:00

Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"

2019-07-10 18:43:43 -07:00

net: dsa: Fix use-after-free in probing of DSA switch tree

2020-01-27 11:12:46 +01:00

net: remove eth_change_mtu

2020-01-27 11:09:31 +01:00

net/core: Replace driver version to be kernel version

2020-01-27 13:47:22 +01:00

net/hsr: remove seq_nr_after_or_eq

2020-01-21 12:03:21 +01:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2019-11-02 13:54:56 -07:00

net: Fix Kconfig indentation

2019-09-26 08:56:17 +02:00

vti[6]: fix packet tx through bpf_redirect() in XinY cases

2020-02-06 13:27:30 +01:00

vti[6]: fix packet tx through bpf_redirect() in XinY cases

2020-02-06 13:27:30 +01:00

treewide: Use sizeof_field() macro

2019-12-09 10:36:44 -08:00

kcm: disable preemption in kcm_parse_func_strparser()

2019-09-27 10:27:14 +02:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-07-08 19:48:57 -07:00

l2tp: Remove redundant BUG_ON() check in l2tp_pernet

2020-01-03 12:26:07 -08:00

ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF

2019-06-23 13:24:17 -07:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-06-17 20:20:36 -07:00

llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)

2019-12-20 21:19:36 -08:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next

2020-01-28 16:02:33 -08:00

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174

2019-05-30 11:26:41 -07:00

net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup

2019-12-04 12:27:13 -08:00

mptcp: Fix undefined mptcp_handle_ipv6_mapped for modular IPV6

2020-01-30 10:55:54 +01:00

net/ncsi: Support for multi host mellanox card

2020-01-09 18:36:22 -08:00

netfilter: flowtable: Fix setting forgotten NF_FLOW_HW_DEAD flag

2020-01-31 19:31:42 +01:00

netlabel: remove redundant assignment to pointer iter

2019-09-01 11:45:02 -07:00

treewide: Use sizeof_field() macro

2019-12-09 10:36:44 -08:00

net: core: add generic lockdep keys

2019-10-24 14:53:48 -07:00

net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()

2019-12-18 11:57:33 -08:00

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

net: openvswitch: use skb_list_walk_safe helper for gso segments

2020-01-14 11:48:41 -08:00

y2038: core, driver and file system changes

2020-01-29 14:55:47 -08:00

net: Remove redundant BUG_ON() check in phonet_pernet

2020-01-03 12:25:50 -08:00

net: psample: fix skb_over_panic

2019-11-26 14:40:13 -08:00

net: qrtr: Remove receive worker

2020-01-14 18:36:42 -08:00

net/rds: Use prefetch for On-Demand-Paging MR

2020-01-18 11:48:19 +02:00

rfkill: Fix incorrect check to avoid NULL pointer dereference

2019-12-16 10:15:49 +01:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2020-01-26 10:40:21 +01:00

rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect

2020-02-03 10:25:30 +00:00

cls_rsvp: fix rsvp_policy

2020-02-01 12:25:06 -08:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2020-01-09 12:13:43 -08:00

net/smc: allow unprivileged users to read pnet table

2020-01-21 11:39:56 +01:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-06-22 08:59:24 -04:00

y2038: core, driver and file system changes

2020-01-29 14:55:47 -08:00

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152

2019-05-30 11:26:32 -07:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next

2020-01-28 16:02:33 -08:00

Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net

2020-01-19 22:10:04 +01:00

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

2020-01-21 12:18:20 +01:00

Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net

2020-01-19 22:10:04 +01:00

wimax: no need to check return value of debugfs_create functions

2019-08-10 15:25:47 -07:00

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next

2020-01-28 16:02:33 -08:00

net/x25: fix nonblocking connect

2020-01-09 18:39:33 -08:00

xsk, net: Make sock_def_readable() have external linkage

2020-01-22 00:08:52 +01:00

xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire

2020-02-12 11:06:32 +01:00

compat.c

y2038: socket: use __kernel_old_timespec instead of timespec

2019-11-15 14:38:29 +01:00

Kconfig

mptcp: Add MPTCP socket stubs

2020-01-24 13:44:07 +01:00

Makefile

mptcp: Add MPTCP socket stubs

2020-01-24 13:44:07 +01:00

socket.c

socket: fix unused-function warning

2020-01-08 15:02:21 -08:00

sysctl_net.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00