[4.14,07/89] staging: most: net: fix buffer overflow

Message ID	20200203161917.810156004@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <SRS0=s+JW=3X=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Andrey Shvetsov <andrey.shvetsov@k2l.de> Subject: [PATCH 4.14 07/89] staging: most: net: fix buffer overflow Date: Mon, 3 Feb 2020 16:18:52 +0000 Message-Id: <20200203161917.810156004@linuxfoundation.org> In-Reply-To: <20200203161916.847439465@linuxfoundation.org> References: <20200203161916.847439465@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [4.14,03/89] USB: serial: ir-usb: add missing endpoint sanity check [4.14,04/89] USB: serial: ir-usb: fix link-speed handling [4.14,07/89] staging: most: net: fix buffer overflow [4.14,09/89] staging: vt6656: correct packet types for CTS protect, mode. [4.14,10/89] staging: vt6656: use NULLFUCTION stack on mac80211 [4.14,13/89] crypto: chelsio - fix writing tfm flags to wrong place [4.14,15/89] brcmfmac: fix interface sanity check [4.14,16/89] rtl8xxxu: fix interface sanity check [4.14,18/89] arc: eznps: fix allmodconfig kconfig warning [4.14,20/89] phy: cpcap-usb: Prevent USB line glitches from waking up modem [4.14,21/89] watchdog: max77620_wdt: fix potential build errors [4.14,22/89] watchdog: rn5t618_wdt: fix module aliases [4.14,24/89] drivers/net/b44: Change to non-atomic bit operations on pwol_mask [4.14,26/89] gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP [4.14,27/89] atm: eni: fix uninitialized variable warning [4.14,29/89] usb-storage: Disable UAS on JMicron SATA enclosure [4.14,30/89] net_sched: ematch: reject invalid TCF_EM_SIMPLE [4.14,31/89] rsi: fix use-after-free on probe errors [4.14,35/89] x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup [4.14,37/89] crypto: pcrypt - Fix user-after-free on module unload [4.14,41/89] arm64: kbuild: remove compressed images on make ARCH=arm64 (dist)clean [4.14,42/89] ext4: validate the debug_want_extra_isize mount option at parse time [4.14,43/89] mm/mempolicy.c: fix out of bounds write in mpol_parse_str() [4.14,45/89] media: digitv: dont continue if remote control state cant be read [4.14,48/89] media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 [4.14,49/89] ttyprintk: fix a potential deadlock in interrupt context issue [4.14,50/89] Bluetooth: Fix race condition in hci_release_sock() [4.14,54/89] ARM: dts: beagle-x15-common: Model 5V0 regulator [4.14,55/89] soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot [4.14,57/89] clk: mmp2: Fix the order of timer mux parents [4.14,61/89] ASoC: sti: fix possible sleep-in-atomic [4.14,62/89] qmi_wwan: Add support for Quectel RM500Q [4.14,65/89] mac80211: Fix TKIP replay protection immediately after key setup [4.14,69/89] iwlwifi: mvm: fix NVM check for 3168 devices [4.14,70/89] Input: aiptek - use descriptors of current altsetting [4.14,73/89] scsi: fnic: do not queue commands during fwreset [4.14,74/89] ARM: 8955/1: virt: Relax arch timer version check during early boot [4.14,76/89] airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE [4.14,77/89] airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE [4.14,80/89] powerpc/fsl/dts: add fsl,erratum-a011043 [4.14,81/89] net/fsl: treat fsl,erratum-a011043 [4.14,83/89] net/sonic: Add mutual exclusion for accessing shared state [4.14,85/89] net/sonic: Fix receive buffer handling [4.14,88/89] l2t_seq_next should increase position index

Message ID

20200203161917.810156004@linuxfoundation.org

State

Superseded

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Andrey Shvetsov <andrey.shvetsov@k2l.de>
Subject: [PATCH 4.14 07/89] staging: most: net: fix buffer overflow
Date: Mon,  3 Feb 2020 16:18:52 +0000
Message-Id: <20200203161917.810156004@linuxfoundation.org>
In-Reply-To: <20200203161916.847439465@linuxfoundation.org>
References: <20200203161916.847439465@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman Feb. 3, 2020, 4:18 p.m. UTC

From: Andrey Shvetsov <andrey.shvetsov@k2l.de>

commit 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 upstream.

If the length of the socket buffer is 0xFFFFFFFF (max size for an
unsigned int), then payload_len becomes 0xFFFFFFF1 after subtracting 14
(ETH_HLEN).  Then, mdp_len is set to payload_len + 16 (MDP_HDR_LEN)
which overflows and results in a value of 2.  These values for
payload_len and mdp_len will pass current buffer size checks.

This patch checks if derived from skb->len sum may overflow.

The check is based on the following idea:

For any `unsigned V1, V2` and derived `unsigned SUM = V1 + V2`,
`V1 + V2` overflows iif `SUM < V1`.

Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Andrey Shvetsov <andrey.shvetsov@k2l.de>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200116172238.6046-1-andrey.shvetsov@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/most/aim-network/networking.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/staging/most/aim-network/networking.c
+++ b/drivers/staging/most/aim-network/networking.c
@@ -85,6 +85,11 @@  static int skb_to_mamac(const struct sk_
 	unsigned int payload_len = skb->len - ETH_HLEN;
 	unsigned int mdp_len = payload_len + MDP_HDR_LEN;
 
+	if (mdp_len < skb->len) {
+		pr_err("drop: too large packet! (%u)\n", skb->len);
+		return -EINVAL;
+	}
+
 	if (mbo->buffer_length < mdp_len) {
 		pr_err("drop: too small buffer! (%d for %d)\n",
 		       mbo->buffer_length, mdp_len);
@@ -132,6 +137,11 @@  static int skb_to_mep(const struct sk_bu
 	u8 *buff = mbo->virt_address;
 	unsigned int mep_len = skb->len + MEP_HDR_LEN;
 
+	if (mep_len < skb->len) {
+		pr_err("drop: too large packet! (%u)\n", skb->len);
+		return -EINVAL;
+	}
+
 	if (mbo->buffer_length < mep_len) {
 		pr_err("drop: too small buffer! (%d for %d)\n",
 		       mbo->buffer_length, mep_len);

[4.14,07/89] staging: most: net: fix buffer overflow

Commit Message

Patch