android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
614811692e
android_kernel_xiaomi_sm8450/net
History
Lin Ma 614811692e xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH 
[ Upstream commit 5e2424708da7207087934c5c75211e8584d553a0 ]

The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change
message to user space") added one additional attribute named
XFRMA_MTIMER_THRESH and described its type at compat_policy
(net/xfrm/xfrm_compat.c).

However, the author forgot to also describe the nla_policy at
xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4
bytes) value can be faked as empty (0 bytes) by a malicious user, which
leads to 4 bytes overflow read and heap information leak when parsing
nlattrs.

To exploit this, one malicious user can spray the SLUB objects and then
leverage this 4 bytes OOB read to leak the heap data into
x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to
userspace via copy_to_user_state_extra(...).

The above bug is assigned CVE-2023-3773. To fix it, this commit just
completes the nla_policy description for XFRMA_MTIMER_THRESH, which
enforces the length check and avoids such OOB read.

Fixes: 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-08-26 15:26:52 +02:00
..
6lowpan 6lowpan: iphc: Fix an off-by-one check of array index 2021-09-15 09:50:34 +02:00
9p 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition 2023-04-20 12:10:25 +02:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2023-01-14 10:16:18 +01:00
8021q vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() 2023-05-30 12:57:53 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 15:00:08 +02:00
atm atm: hide unused procfs functions 2023-06-09 10:30:12 +02:00
ax25 net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg 2022-06-22 14:13:17 +02:00
batman-adv batman-adv: Switch to kstrtox.h for kstrtou64 2023-06-21 15:45:40 +02:00
bluetooth Bluetooth: L2CAP: Fix use-after-free 2023-08-26 15:26:45 +02:00
bpf bpf: Move skb->len == 0 checks into __bpf_redirect 2023-01-14 10:15:31 +01:00
bpfilter bpfilter: Specify the log level for the kmsg message 2021-07-14 16:56:29 +02:00
bridge bridge: Add extack warning when enabling STP in netns. 2023-07-27 08:44:39 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:45:11 +01:00
can can: bcm: Fix UAF in bcm_proc_show() 2023-07-27 08:44:35 +02:00
ceph libceph: fix potential hang in ceph_osdc_notify() 2023-08-11 11:57:51 +02:00
core bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire 2023-08-11 11:57:49 +02:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-11 11:57:50 +02:00
dccp dccp: fix data-race around dp->dccps_mss_cache 2023-08-16 18:21:01 +02:00
decnet Remove DECnet support from kernel 2023-06-21 15:45:38 +02:00
dns_resolver
dsa net: dsa: tag_sja1105: fix MAC DA patching from meta frames 2023-07-27 08:44:10 +02:00
ethernet
ethtool net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats 2023-01-24 07:19:55 +01:00
hsr hsr: ratelimit only when errors are printed 2023-04-05 11:23:52 +02:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-11-03 23:57:51 +09:00
ife
ipv4 ip_vti: fix potential slab-use-after-free in decode_session6 2023-08-26 15:26:52 +02:00
ipv6 ip6_vti: fix slab-use-after-free in decode_session6 2023-08-26 15:26:52 +02:00
iucv net/iucv: Fix size of interrupt data 2023-03-22 13:30:00 +01:00
kcm kcm: close race conditions on sk_receive_queue 2022-11-25 17:45:56 +01:00
key net: af_key: fix sadb_x_filter validation 2023-08-26 15:26:51 +02:00
l2tp inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). 2023-04-26 11:27:41 +02:00
l3mdev l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu 2022-04-27 13:53:50 +02:00
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:29:14 +01:00
llc llc: Don't drop packet from non-root netns. 2023-07-27 08:44:40 +02:00
mac80211 wifi: mac80211: fix min center freq offset tracing 2023-05-30 12:57:53 +01:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-14 11:32:01 +01:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:55:58 +01:00
mptcp inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). 2023-04-26 11:27:41 +02:00
ncsi net/ncsi: clear Tx enable mode when handling a Config required AEN 2023-05-17 11:48:10 +02:00
netfilter netfilter: nf_tables: report use refcount overflow 2023-08-16 18:21:03 +02:00
netlabel netlabel: fix out-of-bounds memory accesses 2022-04-13 21:01:00 +02:00
netlink netlink: Add __sock_i_ino() for __netlink_diag_dump(). 2023-07-27 08:43:43 +02:00
netrom netrom: fix info-leak in nr_write_internal() 2023-06-09 10:30:05 +02:00
nfc net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-27 08:43:43 +02:00
nsh net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() 2023-05-30 12:57:52 +01:00
openvswitch net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() 2023-02-22 12:55:57 +01:00
packet net/packet: annotate data-races around tp->status 2023-08-16 18:21:01 +02:00
phonet phonet: refcount leak in pep_sock_accep 2022-01-11 15:25:01 +01:00
psample net: psample: Fix netlink skb length with tunnel info 2021-03-07 12:34:07 +01:00
qrtr net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() 2023-04-20 12:10:26 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-03-11 16:39:26 +01:00
rfkill rfkill: Fix use-after-free in rfkill_resume() 2020-11-12 09:18:06 +01:00
rose net/rose: Fix to not accept on connected socket 2023-02-22 12:55:53 +01:00
rxrpc rxrpc: Fix hard call timeout units 2023-05-17 11:48:11 +02:00
sched sch_netem: fix issues in netem_change() vs get_dist_table() 2023-08-16 18:21:03 +02:00
sctp sctp: fix potential deadlock on &net->sctp.addr_wq_lock 2023-07-27 08:44:08 +02:00
smc net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT 2023-06-14 11:09:39 +02:00
strparser bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2021-11-18 14:04:27 +01:00
sunrpc SUNRPC: Fix UAF in svc_tcp_listen_data_ready() 2023-07-27 08:44:02 +02:00
switchdev net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP 2021-02-07 15:37:12 +01:00
tipc tipc: stop tipc crypto on failure in tipc_node_create 2023-08-11 11:57:37 +02:00
tls net: deal with most data-races in sk_wait_event() 2023-05-30 12:57:46 +01:00
unix net: add missing data-race annotations around sk->sk_peek_off 2023-08-11 11:57:49 +02:00
vmw_vsock vsock: avoid to close connected socket after the timeout 2023-05-30 12:57:52 +01:00
wimax genetlink: move to smaller ops wherever possible 2020-10-02 19:11:11 -07:00
wireless wifi: cfg80211: Fix return value in scan logic 2023-08-11 11:57:47 +02:00
x25 net/x25: Fix to not accept on connected socket 2023-02-15 17:22:15 +01:00
xdp xsk: Honor SO_BINDTODEVICE on bind 2023-07-27 08:44:09 +02:00
xfrm xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH 2023-08-26 15:26:52 +02:00
compat.c net: Return the correct errno code 2021-06-18 10:00:06 +02:00
devres.c net: devres: rename the release callback of devm_register_netdev() 2020-06-30 15:57:34 -07:00
Kconfig Remove DECnet support from kernel 2023-06-21 15:45:38 +02:00
Makefile Remove DECnet support from kernel 2023-06-21 15:45:38 +02:00
socket.c bpf: Remove extra lock_sock for TCP_ZEROCOPY_RECEIVE 2023-07-27 08:43:37 +02:00
sysctl_net.c