linux_dsm_epyc7002/net/llc
Pavel Skripkin 522bc8bbe8 net: llc: fix skb_over_panic
[ Upstream commit c7c9d2102c9c098916ab9e0ab248006107d00d6c ]

Syzbot reported skb_over_panic() in llc_pdu_init_as_xid_cmd(). The
problem was in wrong LCC header manipulations.

Syzbot's reproducer tries to send XID packet. llc_ui_sendmsg() is
doing following steps:

	1. skb allocation with size = len + header size
		len is passed from userpace and header size
		is 3 since addr->sllc_xid is set.

	2. skb_reserve() for header_len = 3
	3. filling all other space with memcpy_from_msg()

Ok, at this moment we have fully loaded skb, only headers needs to be
filled.

Then code comes to llc_sap_action_send_xid_c(). This function pushes 3
bytes for LLC PDU header and initializes it. Then comes
llc_pdu_init_as_xid_cmd(). It initalizes next 3 bytes *AFTER* LLC PDU
header and call skb_push(skb, 3). This looks wrong for 2 reasons:

	1. Bytes rigth after LLC header are user data, so this function
	   was overwriting payload.

	2. skb_push(skb, 3) call can cause skb_over_panic() since
	   all free space was filled in llc_ui_sendmsg(). (This can
	   happen is user passed 686 len: 686 + 14 (eth header) + 3 (LLC
	   header) = 703. SKB_DATA_ALIGN(703) = 704)

So, in this patch I added 2 new private constansts: LLC_PDU_TYPE_U_XID
and LLC_PDU_LEN_U_XID. LLC_PDU_LEN_U_XID is used to correctly reserve
header size to handle LLC + XID case. LLC_PDU_TYPE_U_XID is used by
llc_pdu_header_init() function to push 6 bytes instead of 3. And finally
I removed skb_push() call from llc_pdu_init_as_xid_cmd().

This changes should not affect other parts of LLC, since after
all steps we just transmit buffer.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+5e5a981ad7cc54c4b2b4@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-07-05 18:04:53 +02:00
..
af_llc.c net: llc: fix skb_over_panic 2024-07-05 18:04:53 +02:00
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
llc_c_ac.c llc: fix sk_buff leak in llc_conn_service() 2019-10-08 13:23:05 -07:00
llc_c_ev.c net: replace remaining __FUNCTION__ occurrences 2008-03-05 20:47:47 -08:00
llc_c_st.c llc: Make llc_conn_ev_qfyr_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_conn.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_core.c llc: avoid blocking in llc_sap_close() 2018-09-13 09:04:58 -07:00
llc_if.c llc: fix another potential sk_buff leak in llc_ui_sendmsg() 2019-10-08 13:23:05 -07:00
llc_input.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_output.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 281 2019-06-05 17:36:36 +02:00
llc_pdu.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_proc.c net: Add missing annotation for llc_seq_start() 2020-02-24 13:26:49 -08:00
llc_s_ac.c net: llc: fix skb_over_panic 2024-07-05 18:04:53 +02:00
llc_s_ev.c
llc_s_st.c llc: Make llc_sap_action_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_sap.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_station.c llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) 2019-12-20 21:19:36 -08:00
Makefile llc: fix whitespace issues 2018-07-24 14:10:42 -07:00
sysctl_net_llc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00