1. 10 Jan, 2018 2 commits
  2. 09 Jan, 2018 1 commit
  3. 08 Jan, 2018 2 commits
  4. 05 Jan, 2018 1 commit
  5. 31 Dec, 2017 1 commit
  6. 30 Dec, 2017 4 commits
    • Eric Biggers's avatar
      af_key: fix buffer overread in parse_exthdrs() · 4e765b49
      Eric Biggers authored
      If a message sent to a PF_KEY socket ended with an incomplete extension
      header (fewer than 4 bytes remaining), then parse_exthdrs() read past
      the end of the message, into uninitialized memory.  Fix it by returning
      -EINVAL in this case.
      
      Reproducer:
      
      	#include <linux/pfkeyv2.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
      		char buf[17] = { 0 };
      		struct sadb_msg *msg = (void *)buf;
      
      		msg->sadb_msg_version = PF_KEY_V2;
      		msg->sadb_msg_type = SADB_DELETE;
      		msg->sadb_msg_len = 2;
      
      		write(sock, buf, 17);
      	}
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      4e765b49
    • Eric Biggers's avatar
      af_key: fix buffer overread in verify_address_len() · 06b335cb
      Eric Biggers authored
      If a message sent to a PF_KEY socket ended with one of the extensions
      that takes a 'struct sadb_address' but there were not enough bytes
      remaining in the message for the ->sa_family member of the 'struct
      sockaddr' which is supposed to follow, then verify_address_len() read
      past the end of the message, into uninitialized memory.  Fix it by
      returning -EINVAL in this case.
      
      This bug was found using syzkaller with KMSAN.
      
      Reproducer:
      
      	#include <linux/pfkeyv2.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
      		char buf[24] = { 0 };
      		struct sadb_msg *msg = (void *)buf;
      		struct sadb_address *addr = (void *)(msg + 1);
      
      		msg->sadb_msg_version = PF_KEY_V2;
      		msg->sadb_msg_type = SADB_DELETE;
      		msg->sadb_msg_len = 3;
      		addr->sadb_address_len = 1;
      		addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
      
      		write(sock, buf, 24);
      	}
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      06b335cb
    • Florian Westphal's avatar
      xfrm: skip policies marked as dead while rehashing · 862591bf
      Florian Westphal authored
      syzkaller triggered following KASAN splat:
      
      BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
      read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23 [..]
      Workqueue: events xfrm_hash_rebuild [..]
       __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
       xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
       process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
       worker_thread+0x223/0x1990 kernel/workqueue.c:2246 [..]
      
      The reproducer triggers:
      1016                 if (error) {
      1017                         list_move_tail(&walk->walk.all, &x->all);
      1018                         goto out;
      1019                 }
      
      in xfrm_policy_walk() via pfkey (it sets tiny rcv space, dump
      callback returns -ENOBUFS).
      
      In this case, *walk is located the pfkey socket struct, so this socket
      becomes visible in the global policy list.
      
      It looks like this is intentional -- phony walker has walk.dead set to 1
      and all other places skip such "policies".
      
      Ccing original authors of the two commits that seem to expose this
      issue (first patch missed ->dead check, second patch adds pfkey
      sockets to policies dumper list).
      
      Fixes: 880a6fab ("xfrm: configure policy hash table thresholds by netlink")
      Fixes: 12a169e7 ("ipsec: Put dumpers on the dump list")
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Timo Teras <timo.teras@iki.fi>
      Cc: Christophe Gouault <christophe.gouault@6wind.com>
      Reported-by: default avatarsyzbot <bot+c028095236fcb6f4348811565b75084c754dc729@syzkaller.appspotmail.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      862591bf
    • Herbert Xu's avatar
      xfrm: Forbid state updates from changing encap type · 257a4b01
      Herbert Xu authored
      Currently we allow state updates to competely replace the contents
      of x->encap.  This is bad because on the user side ESP only sets up
      header lengths depending on encap_type once when the state is first
      created.  This could result in the header lengths getting out of
      sync with the actual state configuration.
      
      In practice key managers will never do a state update to change the
      encapsulation type.  Only the port numbers need to be changed as the
      peer NAT entry is updated.
      
      Therefore this patch adds a check in xfrm_state_update to forbid
      any changes to the encap_type.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      257a4b01
  7. 29 Dec, 2017 5 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 2758b3e3
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) IPv6 gre tunnels end up with different default features enabled
          depending upon whether netlink or ioctls are used to bring them up.
          Fix from Alexey Kodanev.
      
       2) Fix read past end of user control message in RDS< from Avinash
          Repaka.
      
       3) Missing RCU barrier in mini qdisc code, from Cong Wang.
      
       4) Missing policy put when reusing per-cpu route entries, from Florian
          Westphal.
      
       5) Handle nested PCI errors properly in bnx2x driver, from Guilherme G.
          Piccoli.
      
       6) Run nested transport mode IPSEC packets via tasklet, from Herbert
          Xu.
      
       7) Fix handling poll() for stream sockets in tipc, from Parthasarathy
          Bhuvaragan.
      
       8) Fix two stack-out-of-bounds issues in IPSEC, from Steffen Klassert.
      
       9) Another zerocopy ubuf handling fix, from Willem de Bruijn.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (33 commits)
        strparser: Call sock_owned_by_user_nocheck
        sock: Add sock_owned_by_user_nocheck
        skbuff: in skb_copy_ubufs unclone before releasing zerocopy
        tipc: fix hanging poll() for stream sockets
        sctp: Replace use of sockets_allocated with specified macro.
        bnx2x: Improve reliability in case of nested PCI errors
        tg3: Enable PHY reset in MTU change path for 5720
        tg3: Add workaround to restrict 5762 MRRS to 2048
        tg3: Update copyright
        net: fec: unmap the xmit buffer that are not transferred by DMA
        tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path
        tipc: error path leak fixes in tipc_enable_bearer()
        RDS: Check cmsg_len before dereferencing CMSG_DATA
        tcp: Avoid preprocessor directives in tracepoint macro args
        tipc: fix memory leak of group member when peer node is lost
        net: sched: fix possible null pointer deref in tcf_block_put
        tipc: base group replicast ack counter on number of actual receivers
        net_sched: fix a missing rcu barrier in mini_qdisc_pair_swap()
        net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround
        ip6_gre: fix device features for ioctl setup
        ...
      2758b3e3
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.15-rc6' of git://people.freedesktop.org/~airlied/linux · fd84b751
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "nouveau and i915 regression fixes"
      
      * tag 'drm-fixes-for-v4.15-rc6' of git://people.freedesktop.org/~airlied/linux:
        drm/nouveau: fix race when adding delayed work items
        i915: Reject CCS modifiers for pipe C on Geminilake
        drm/i915/gvt: Fix pipe A enable as default for vgpu
      fd84b751
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · c0208a33
      Linus Torvalds authored
      Pull clk fix from Stephen Boyd:
       "One more fix for the runtime PM clk patches. We're calling a runtime
        PM API that may schedule from somewhere that we can't do that. We
        change to the async version of pm_runtime_put() to fix it"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: use atomic runtime pm api in clk_core_is_enabled
      c0208a33
    • Linus Torvalds's avatar
      Merge tag 'led_fixes_for_4.15-rc6' of... · 4f2382f3
      Linus Torvalds authored
      Merge tag 'led_fixes_for_4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED fix from Jacek Anaszewski:
       "A single LED fix for brightness setting when delay_off is 0"
      
      * tag 'led_fixes_for_4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        led: core: Fix brightness setting when setting delay_off=0
      4f2382f3
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 19286e4a
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "This is the next batch of for-rc patches from RDMA. It includes the
        fix for the ipoib regression I mentioned last time, and the result of
        a fairly major debugging effort to get iser working reliably on cxgb4
        hardware - it turns out the cxgb4 driver was not handling QP error
        flushing properly causing iser to fail.
      
         - cxgb4 fix for an iser testing failure as debugged by Steve and
           Sagi. The problem was a driver bug in the handling of shutting down
           a QP.
      
         - Various vmw_pvrdma fixes for bogus WARN_ON, missed resource free on
           error unwind and a use after free bug
      
         - Improper congestion counter values on mlx5 when link aggregation is
           enabled
      
         - ipoib lockdep regression introduced in this merge window
      
         - hfi1 regression supporting the device in a VM introduced in a
           recent patch
      
         - Typo that breaks future uAPI compatibility in the verbs core
      
         - More SELinux related oops fixing
      
         - Fix an oops during error unwind in mlx5"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        IB/mlx5: Fix mlx5_ib_alloc_mr error flow
        IB/core: Verify that QP is security enabled in create and destroy
        IB/uverbs: Fix command checking as part of ib_uverbs_ex_modify_qp()
        IB/mlx5: Serialize access to the VMA list
        IB/hfi: Only read capability registers if the capability exists
        IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush
        IB/mlx5: Fix congestion counters in LAG mode
        RDMA/vmw_pvrdma: Avoid use after free due to QP/CQ/SRQ destroy
        RDMA/vmw_pvrdma: Use refcount_dec_and_test to avoid warning
        RDMA/vmw_pvrdma: Call ib_umem_release on destroy QP path
        iw_cxgb4: when flushing, complete all wrs in a chain
        iw_cxgb4: reflect the original WR opcode in drain cqes
        iw_cxgb4: Only validate the MSN for successful completions
      19286e4a
  8. 28 Dec, 2017 6 commits
  9. 27 Dec, 2017 18 commits