linux-stable

mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git synced 2025-09-26 17:10:55 +10:00

History

Kuniyuki Iwashima 3c80c230d6 atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). [ Upstream commit `ec79003c5f` ] syzbot reported the splat below. [0] When atmtcp_v_open() or atmtcp_v_close() is called via connect() or close(), atmtcp_send_control() is called to send an in-kernel special message. The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length. Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc. The notable thing is struct atmtcp_control is uAPI but has a space for an in-kernel pointer. struct atmtcp_control { struct atmtcp_hdr hdr; /* must be first / ... atm_kptr_t vcc; / both directions */ ... } __ATM_API_ALIGN; typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t; The special message is processed in atmtcp_recv_control() called from atmtcp_c_send(). atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths: 1. .ndo_start_xmit() (vcc->send() == atm_send_aal0()) 2. vcc_sendmsg() The problem is sendmsg() does not validate the message length and userspace can abuse atmtcp_recv_control() to overwrite any kptr by atmtcp_control. Let's add a new ->pre_send() hook to validate messages from sendmsg(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f] CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline] RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297 Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203 RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000 R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0 Call Trace: <TASK> vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8d7e96a4a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9 RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005 RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250 </TASK> Modules linked in: Fixes: `1da177e4c3` ("Linux-2.6.12-rc2") Reported-by: syzbot+1741b56d54536f4ec349@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68a6767c.050a0220.3d78fd.0011.GAE@google.com/ Tested-by: syzbot+1741b56d54536f4ec349@syzkaller.appspotmail.com Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20250821021901.2814721-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2025-09-04 15:30:21 +02:00
..
6lowpan
9p
802
8021q	net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime	2025-07-24 08:53:19 +02:00
appletalk	net: appletalk: Fix use-after-free in AARP proxy probe	2025-08-01 09:47:29 +01:00
atm	atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().	2025-09-04 15:30:21 +02:00
ax25
batman-adv
bluetooth	Bluetooth: hci_sync: fix set_local_name race condition	2025-09-04 15:30:21 +02:00
bpf
bpfilter
bridge	net: bridge: fix soft lockup in br_multicast_query_expired()	2025-08-28 16:28:48 +02:00
caif	caif: reduce stack size, again	2025-08-15 12:08:45 +02:00
can	can: bcm: add missing rcu read protection for procfs content	2025-06-04 14:42:19 +02:00
ceph
core	net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM	2025-08-28 16:28:48 +02:00
dcb
dccp
devlink
dns_resolver
dsa	net: dsa: tag_brcm: legacy: fix pskb_may_pull length	2025-06-19 15:28:33 +02:00
ethernet
ethtool
handshake
hsr	net, hsr: reject HSR frame if skb can't hold tag	2025-08-28 16:28:39 +02:00
ieee802154
ife
ipv4	net: ipv4: fix regression in local-broadcast routes	2025-09-04 15:30:20 +02:00
ipv6	netfilter: nf_reject: don't leak dst refcount for loopback packets	2025-08-28 16:28:50 +02:00
iucv
kcm
key
l2tp
l3mdev
lapb
llc	llc: fix data loss when reading from a socket in llc_ui_recvmsg()	2025-06-04 14:42:20 +02:00
mac80211	wifi: mac80211: check basic rates validity in sta_link_apply_parameters	2025-08-28 16:28:41 +02:00
mac802154
mctp	net: mctp: Prevent duplicate binds	2025-08-28 16:28:20 +02:00
mpls	mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().	2025-06-27 11:09:02 +01:00
mptcp	mptcp: disable add_addr retransmission when timeout is 0	2025-08-28 16:28:44 +02:00
ncsi	net: ncsi: Fix buffer overflow in fetching version id	2025-08-28 16:28:24 +02:00
netfilter	netfilter: ctnetlink: fix refcount leak on table dump	2025-08-28 16:28:14 +02:00
netlabel	calipso: unlock rcu before returning -EAFNOSUPPORT	2025-06-19 15:28:46 +02:00
netlink	net: better track kernel sockets lifetime	2025-08-28 16:28:39 +02:00
netrom
nfc	NFC: nci: uart: Set tty->disc_data only in success path	2025-06-27 11:08:48 +01:00
nsh
openvswitch	net: openvswitch: Fix the dead loop of MPLS parse	2025-06-19 15:28:19 +02:00
packet	net/packet: fix a race in packet_set_ring() and packet_notifier()	2025-08-15 12:09:05 +02:00
phonet	phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept()	2025-07-24 08:53:12 +02:00
psample
qrtr
rds	net: better track kernel sockets lifetime	2025-08-28 16:28:39 +02:00
rfkill
rose	rose: fix dangling neighbour pointers in rose_rt_device_down()	2025-07-10 16:03:11 +02:00
rxrpc	rxrpc: Fix transmission of an abort in response to an abort	2025-07-24 08:53:20 +02:00
sched	net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate	2025-08-28 16:28:49 +02:00
sctp	sctp: linearize cloned gso packets in sctp_rcv	2025-08-28 16:28:14 +02:00
smc	net/smc: fix UAF on smcsk after smc_listen_out()	2025-08-28 16:28:49 +02:00
strparser
sunrpc	net: better track kernel sockets lifetime	2025-08-28 16:28:39 +02:00
switchdev
tipc	tipc: Fix use-after-free in tipc_conn_close().	2025-07-17 18:35:09 +02:00
tls	tls: fix handling of zero-length records on the rx_list	2025-08-28 16:28:46 +02:00
unix	af_unix: Don't set -ECONNRESET for consumed OOB skb.	2025-07-06 11:00:12 +02:00
vmw_vsock	vsock/virtio: Validate length in packet header before skb_put()	2025-08-28 16:28:36 +02:00
wireless	wifi: cfg80211: reject HTC bit for management frames	2025-08-28 16:28:20 +02:00
x25
xdp
xfrm	xfrm: Duplicate SPI Handling	2025-08-28 16:28:22 +02:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile	af_unix: Remove CONFIG_UNIX_SCM.	2025-06-04 14:42:22 +02:00
socket.c
sysctl_net.c