averello/linux-stable-mirror
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2026-04-03 12:05:13 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
72c64fa2e474026a12bd190dd48c19dde36775f8
linux-stable-mirror/net
History
Paul Chaignon fe9d33f047 bpf: Explicitly check accesses to bpf_sock_addr 
[ Upstream commit 6fabca2fc9 ]

Syzkaller found a kernel warning on the following sock_addr program:

    0: r0 = 0
    1: r2 = *(u32 *)(r1 +60)
    2: exit

which triggers:

    verifier bug: error during ctx access conversion (0)

This is happening because offset 60 in bpf_sock_addr corresponds to an
implicit padding of 4 bytes, right after msg_src_ip4. Access to this
padding isn't rejected in sock_addr_is_valid_access and it thus later
fails to convert the access.

This patch fixes it by explicitly checking the various fields of
bpf_sock_addr in sock_addr_is_valid_access.

I checked the other ctx structures and is_valid_access functions and
didn't find any other similar cases. Other cases of (properly handled)
padding are covered in new tests in a subsequent patch.

Fixes: 1cedee13d2 ("bpf: Hooks for sys_sendmsg")
Reported-by: syzbot+136ca59d411f92e821b7@syzkaller.appspotmail.com
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Closes: https://syzkaller.appspot.com/bug?extid=136ca59d411f92e821b7
Link: https://lore.kernel.org/bpf/b58609d9490649e76e584b0361da0abd3c2c1779.1758094761.git.paul.chaignon@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-10-15 12:00:02 +02:00
..
6lowpan
9p
net/9p: fix double req put in p9_fd_cancelled
2025-10-12 12:57:19 +02:00
802
8021q
net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
2025-07-24 08:56:34 +02:00
appletalk
net: appletalk: Fix use-after-free in AARP proxy probe
2025-08-01 09:48:41 +01:00
atm
net: atm: fix memory leak in atm_register_sysfs when device_register fail
2025-09-09 18:58:13 +02:00
ax25
ax25: properly unshare skbs in ax25_kiss_rcv()
2025-09-09 18:58:13 +02:00
batman-adv
batman-adv: fix OOB read/write in network-coding decode
2025-09-09 18:58:18 +02:00
bluetooth
Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
2025-10-02 13:44:10 +02:00
bpf
bridge
net: bridge: Bounce invalid boolopts
2025-09-19 16:35:48 +02:00
caif
caif: reduce stack size, again
2025-08-15 12:13:40 +02:00
can
can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails
2025-09-19 16:35:49 +02:00
ceph
libceph: fix invalid accesses to ceph_connection_v1_info
2025-09-19 16:35:47 +02:00
core
bpf: Explicitly check accesses to bpf_sock_addr
2025-10-15 12:00:02 +02:00
dcb
dccp
devlink
dns_resolver
dsa
net: dsa: provide implementation of .support_eee()
2025-09-09 18:58:19 +02:00
ethernet
ethtool
handshake
hsr
hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr
2025-09-19 16:35:50 +02:00
ieee802154
ife
ipv4
nexthop: Forbid FDB status change while nexthop is in a group
2025-10-02 13:44:10 +02:00
ipv6
net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6
2025-09-09 18:58:10 +02:00
iucv
kcm
net: kcm: Fix race condition in kcm_unattach()
2025-08-20 18:30:18 +02:00
key
l2tp
l2tp: do not use sock_hold() in pppol2tp_session_get_sock()
2025-09-04 15:31:51 +02:00
l3mdev
lapb
llc
mac80211
wifi: mac80211: fix incorrect type for ret
2025-09-25 11:13:41 +02:00
mac802154
mctp
mctp: return -ENOPROTOOPT for unknown getsockopt options
2025-09-09 18:58:13 +02:00
mpls
mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().
2025-06-27 11:11:43 +01:00
mptcp
mptcp: pm: nl: announce deny-join-id0 flag
2025-09-25 11:13:50 +02:00
ncsi
net: ncsi: Fix buffer overflow in fetching version id
2025-08-20 18:30:38 +02:00
netfilter
netfilter: nft_set_pipapo: fix null deref for empty set
2025-09-19 16:35:51 +02:00
netlabel
calipso: unlock rcu before returning -EAFNOSUPPORT
2025-06-19 15:32:37 +02:00
netlink
genetlink: fix genl_bind() invoking bind() after -EPERM
2025-09-19 16:35:48 +02:00
netrom
nfc
NFC: nci: uart: Set tty->disc_data only in success path
2025-06-27 11:11:21 +01:00
nsh
openvswitch
packet
net/packet: fix a race in packet_set_ring() and packet_notifier()
2025-08-15 12:14:09 +02:00
phonet
phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept()
2025-07-24 08:56:24 +02:00
psample
qrtr
rds
rds: ib: Increment i_fastreg_wrs before bailing out
2025-09-25 11:13:47 +02:00
rfkill
net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
2025-09-25 11:13:47 +02:00
rose
net: rose: fix a typo in rose_clear_routes()
2025-09-04 15:31:55 +02:00
rxrpc
rxrpc: Fix transmission of an abort in response to an abort
2025-07-24 08:56:35 +02:00
sched
net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate
2025-08-28 16:31:15 +02:00
sctp
sctp: initialize more fields in sctp_v6_from_sk()
2025-09-04 15:31:51 +02:00
smc
net/smc: fix warning in smc_rx_splice() when calling get_page()
2025-10-02 13:44:10 +02:00
strparser
sunrpc
Revert "SUNRPC: Don't allow waiting for exiting tasks"
2025-09-19 16:35:45 +02:00
switchdev
tipc
tipc: Fix use-after-free in tipc_conn_close().
2025-07-17 18:37:05 +02:00
tls
tls: make sure to abort the stream if headers are bogus
2025-09-25 11:13:44 +02:00
unix
af_unix: Don't set -ECONNRESET for consumed OOB skb.
2025-07-06 11:01:40 +02:00
vmw_vsock
vsock/virtio: Validate length in packet header before skb_put()
2025-08-28 16:30:59 +02:00
wireless
wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
2025-09-09 18:58:12 +02:00
x25
xdp
xfrm
xfrm: xfrm_alloc_spi shouldn't use 0 as SPI
2025-10-02 13:44:09 +02:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c
sysctl_net.c