MacSec: fix backporting error in patches for CVE-2017-7477
Orabug:
26443893
- macsec: dynamically allocate space for sglist (Jason A. Donenfeld)
[Orabug:
26368162] {CVE-2017-7477}
- macsec: avoid heap overflow in skb_to_sgvec (Jason A. Donenfeld) [Orabug:
26368162] {CVE-2017-7477}
The backporting of above patches introduded a heap overrun error shown
as bug
26443893.
------------[ cut here ]------------
WARNING: CPU: 28 PID: 0 at kernel/time/timer.c:1177
call_timer_fn+0x142/0x150()
timer: mld_ifc_timer_expire+0x0/0x2d0 preempt leak:
00000100 ->
00000101
Modules linked in: gcm macsec fuse btrfs xor raid6_pq vfat msdos fat ext4
jbd2 ext2 mbcache2 ip6table_filter ip6_tables
BUG: workqueue leaked lock or atomic: kworker/15:2/0x00000001/689
last function: addrconf_dad_work
CPU: 15 PID: 689 Comm: kworker/15:2 Not tainted 4.1.12-103.2.6.el7uek.x86_64
Hardware name: Oracle Corporation SUN SERVER X4-2 /ASSY,MOTHERBOARD,1U
, BIOS
25010603 01/16/2014
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
[<
ffffffff81735938>] dump_stack+0x63/0x81
[<
ffffffff810a0fd8>] process_one_work+0x3a8/0x460
[<
ffffffff810a1582>] worker_thread+0x112/0x520
[<
ffffffff810a1470>] ? rescuer_thread+0x3e0/0x3e0
[<
ffffffff810a7348>] kthread+0xd8/0xf0
[<
ffffffff810a7270>] ? kthread_create_on_node+0x1b0/0x1b0
[<
ffffffff8173d9a2>] ret_from_fork+0x42/0x70
[<
ffffffff810a7270>] ? kthread_create_on_node+0x1b0/0x1b0
BUG: scheduling while atomic: kworker/15:2/689/0x00000001
1. newly introduced variable "num_frags" not used in 'sg_ad', assumes
'MAX_SKB_FRAGS + 1'
2. Initialization of sglist assumes 'MAX_SKB_FRAGS + 1' length, though it was
changed to the number of scatterlist elements being returned from
"skb_cow_data()"
3. It seems that "sg_init_table(sg, MAX_SKB_FRAGS + 1);" is redundant, it was
already done a few lines before.
This patch may solve the above issues.
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: Ethan Zhao <ethan.zhao@oracle.com>
projects / users / jedix / linux-maple.git / commit