AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-11-24 01:00:52 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
epyc7002
linux_dsm_epyc7002/drivers/net/hamradio
History
Pavel Skripkin 49ed41a95f net: 6pack: fix slab-out-of-bounds in decode_data 
[ Upstream commit 19d1532a187669ce86d5a2696eb7275310070793 ]

Syzbot reported slab-out-of bounds write in decode_data().
The problem was in missing validation checks.

Syzbot's reproducer generated malicious input, which caused
decode_data() to be called a lot in sixpack_decode(). Since
rx_count_cooked is only 400 bytes and noone reported before,
that 400 bytes is not enough, let's just check if input is malicious
and complain about buffer overrun.

Fail log:
==================================================================
BUG: KASAN: slab-out-of-bounds in drivers/net/hamradio/6pack.c:843
Write of size 1 at addr ffff888087c5544e by task kworker/u4:0/7

CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.6.0-rc3-syzkaller #0
...
Workqueue: events_unbound flush_to_ldisc
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:641
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137
 decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843
 decode_data drivers/net/hamradio/6pack.c:965 [inline]
 sixpack_decode drivers/net/hamradio/6pack.c:968 [inline]

Reported-and-tested-by: syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-07-05 18:55:46 +02:00
..
6pack.c net: 6pack: fix slab-out-of-bounds in decode_data 2024-07-05 18:55:46 +02:00
baycom_epp.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
baycom_par.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 69 2019-05-24 17:36:47 +02:00
baycom_ser_fdx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 69 2019-05-24 17:36:47 +02:00
baycom_ser_hdx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 69 2019-05-24 17:36:47 +02:00
bpqether.c net: change addr_list_lock back to static key 2020-06-09 12:59:45 -07:00
dmascc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
hdlcdrv.c hdlcdrv: replace unnecessary assertion in hdlcdrv_register 2019-12-19 17:34:20 -08:00
Kconfig docs: networking: move baycom to the hw driver section 2020-06-26 16:08:44 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mkiss.c net: hamradio: fix memory leak in mkiss_close 2021-06-23 14:42:46 +02:00
scc.c drivers: net: hamradio: fix document location 2020-10-15 07:49:47 +02:00
yam.c yam: fix possible memory leak in yam_init_driver 2020-06-04 15:58:41 -07:00
z8530.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00