tmp_suning_uos_patched/net/llc
Pavel Skripkin e6097071a4 net: llc: fix skb_over_panic
[ Upstream commit c7c9d2102c9c098916ab9e0ab248006107d00d6c ]

Syzbot reported skb_over_panic() in llc_pdu_init_as_xid_cmd(). The
problem was in wrong LCC header manipulations.

Syzbot's reproducer tries to send XID packet. llc_ui_sendmsg() is
doing following steps:

	1. skb allocation with size = len + header size
		len is passed from userpace and header size
		is 3 since addr->sllc_xid is set.

	2. skb_reserve() for header_len = 3
	3. filling all other space with memcpy_from_msg()

Ok, at this moment we have fully loaded skb, only headers needs to be
filled.

Then code comes to llc_sap_action_send_xid_c(). This function pushes 3
bytes for LLC PDU header and initializes it. Then comes
llc_pdu_init_as_xid_cmd(). It initalizes next 3 bytes *AFTER* LLC PDU
header and call skb_push(skb, 3). This looks wrong for 2 reasons:

	1. Bytes rigth after LLC header are user data, so this function
	   was overwriting payload.

	2. skb_push(skb, 3) call can cause skb_over_panic() since
	   all free space was filled in llc_ui_sendmsg(). (This can
	   happen is user passed 686 len: 686 + 14 (eth header) + 3 (LLC
	   header) = 703. SKB_DATA_ALIGN(703) = 704)

So, in this patch I added 2 new private constansts: LLC_PDU_TYPE_U_XID
and LLC_PDU_LEN_U_XID. LLC_PDU_LEN_U_XID is used to correctly reserve
header size to handle LLC + XID case. LLC_PDU_TYPE_U_XID is used by
llc_pdu_header_init() function to push 6 bytes instead of 3. And finally
I removed skb_push() call from llc_pdu_init_as_xid_cmd().

This changes should not affect other parts of LLC, since after
all steps we just transmit buffer.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+5e5a981ad7cc54c4b2b4@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-08-04 12:46:43 +02:00
..
af_llc.c net: llc: fix skb_over_panic 2021-08-04 12:46:43 +02:00
Kconfig
llc_c_ac.c llc: fix sk_buff leak in llc_conn_service() 2019-10-08 13:23:05 -07:00
llc_c_ev.c
llc_c_st.c
llc_conn.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_core.c
llc_if.c llc: fix another potential sk_buff leak in llc_ui_sendmsg() 2019-10-08 13:23:05 -07:00
llc_input.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_output.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 281 2019-06-05 17:36:36 +02:00
llc_pdu.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_proc.c net: Add missing annotation for llc_seq_start() 2020-02-24 13:26:49 -08:00
llc_s_ac.c net: llc: fix skb_over_panic 2021-08-04 12:46:43 +02:00
llc_s_ev.c
llc_s_st.c
llc_sap.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_station.c llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) 2019-12-20 21:19:36 -08:00
Makefile
sysctl_net_llc.c