www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Eric Dumazet <edumazet@google.com>
	Fri, 19 May 2017 21:17:48 +0000 (14:17 -0700)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Tue, 22 Aug 2017 18:31:33 +0000 (11:31 -0700)
commit	dc0e781c6aa05e2c5758f44e64b215bc4d144b43
tree	b3d56ab81e2aa89e7eeab7f8714892cc1b6bb817	tree
parent	5f65cbf09cef0e1e6832c178338d3a07e0d53664	commit \| diff

ipv6: fix out of bound writes in __ip6_append_data()

Orabug: 26575181
CVE: CVE-2017-9242

Andrey Konovalov and idaifish@gmail.com reported crashes caused by
one skb shared_info being overwritten from __ip6_append_data()

Andrey program lead to following state :

copy -4200 datalen 2000 fraglen 2040
maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200

The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
fraggap, 0); is overwriting skb->head and skb_shared_info

Since we apparently detect this rare condition too late, move the
code earlier to even avoid allocating skb and risking crashes.

Once again, many thanks to Andrey and syzkaller team.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: <idaifish@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 232cd35d0804cc241eb887bb8d4d9b3b9881c64a)
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Conflicts:
net/ipv6/ip6_output.c