Please consider
commit 37bd22420f856fcd976989f1d4f1f7ad28e1fcac ("af_key: pfkey_dump
needs parameter validation")
for merge into all the maintained stable trees.
Cc: netdev@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: sta...@vger.kernel.org
Cc: Greg KH
Fix
On 7/24/20 2:14 PM, Jacob Keller wrote:
On 7/23/2020 12:35 PM, Eric Dumazet wrote:
On 7/23/20 11:21 AM, Mark Salyzyn wrote:
Many of the nla_get_* inlines fail to check attribute's length before
copying the content resulting in possible out-of-boundary accesses.
Adjust the inlines to pe
On 7/23/20 12:35 PM, Eric Dumazet wrote:
I believe this will hide bugs, that syzbot was able to catch.
syzbot failed to catch the problem because of padding u8, u16 and u32
were all immune because they would go out of bounds into a padded buffer :-(
On 7/23/20 12:19 PM, David Miller wrote:
mance critical and do not need a likely fast path.
Signed-off-by: Mark Salyzyn
Cc: netdev@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Thomas Graf
Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/a
In pfkey_dump() dplen and splen can both be specified to access the
xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
when it calls addr_match() with the indexes. Return EINVAL if either
are out of range.
Signed-off-by: Mark Salyzyn
Cc: netdev@vger.kernel.org
Cc: linux-ker
On 7/22/20 2:33 AM, Steffen Klassert wrote:
On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote:
In pfkey_dump() dplen and splen can both be specified to access the
xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
when it calls addr_match() with the indexes. Return
In pfkey_dump() dplen and splen can both be specified to access the
xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
when it calls addr_match() with the indexes. Return EINVAL if either
are out of range.
Signed-off-by: Mark Salyzyn
Cc: netdev@vger.kernel.org
Cc: linux-ker
_size was only little over 32KiB.
This patch trims skb to allocated size in order to allow the user to
avoid truncation with more reasonable buffer size.
Signed-off-by: Ronen Arad
Signed-off-by: David S. Miller
(cherry pick commit db65a3aaf29ecce2e34271d52e8d2336b97bd9fe)
Signed-off-by: M
On 02/01/2019 11:41 AM, Mark Salyzyn wrote:
if (alloc_size < nlk->max_recvmsg_len) {
if (alloc_min_size < nlk->max_recvmgs_len) {
-- Mark
B.
This patch trims skb to allocated size in order to allow the user to
avoid truncation with more reasonable buffer size.
Signed-off-by: Ronen Arad
Signed-off-by: David S. Miller
(cherry pick commit db65a3aaf29ecce2e34271d52e8d2336b97bd9fe)
Signed-off-by: Mark Salyzyn
---
net/netlink/af_netli
can go from here.
Sincerely -- Mark Salyzyn
On 07/28/2017 10:41 AM, Andrew Lunn wrote:
On Fri, Jul 28, 2017 at 10:15:23AM -0700, Mark Salyzyn wrote:
(Resend to wider audience to comply with
Documentation/networking/netdev-FAQ.txt)
Please apply/backport the following upstream feature and followup
grouped fixes patches to the stable trees
configuration.
Sincerely -- Mark Salyzyn
to follow as our investigations continue, but
this is already turning into a tall order so we stop here.
Sincerely -- Mark Salyzyn
got a rare NULL pointer dereference in clear_bit
Signed-off-by: Mark Salyzyn
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
---
net/caif/caif_socket.c | 8
net/unix/af_unix.c | 8
On 05/22/2015 11:16 AM, Hannes Frederic Sowa wrote:
On Fri, May 22, 2015, at 18:24, Mark Salyzyn wrote:
On 05/22/2015 08:35 AM, Hannes Frederic Sowa wrote:
I still wonder if we need to actually recheck the condition and not
simply break out of unix_stream_data_wait:
We return to the
with unix_state_lock against concurrent modification with unix_release,
as such we could end up concurrently dequeueing packets if socket is
DEAD.
sock destroy(sic) is called before sock_orphan which sets SOCK_DEAD, so
the receive queue has already been drained.
Sincerely -- Mark Salyzyn
--
To
got a rare NULL pointer dereference in clear_bit
Signed-off-by: Mark Salyzyn
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
net/caif/caif_socket.c | 4
net/unix/af_unix.c | 4
2 files changed, 8 insertions(+)
diff --git a/net/caif/caif_socket.c b
On 05/22/2015 02:50 AM, Hannes Frederic Sowa wrote:
On Do, 2015-05-21 at 09:25 -0700, Mark Salyzyn wrote:
got a rare NULL pointer dereference in clear_bit
Signed-off-by: Mark Salyzyn
---
net/unix/af_unix.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/net/unix/af_unix.c b/net
got a rare NULL pointer dereference in clear_bit
Signed-off-by: Mark Salyzyn
---
net/unix/af_unix.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 5266ea7..37a8925 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1880,6
20 matches
Mail list logo
