GitHub-Mirror/Star64_linux
2
0
Fork 0
mirror of https://github.com/Fishwaldo/Star64_linux.git synced 2025-03-16 04:04:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
No description
1064511 commits 24 branches 25 tags 2.7 GiB
C 97.9%
Assembly 1.1%
Shell 0.4%
Makefile 0.3%
Python 0.1%
Find a file
Zhengchao Shao 3770871190 xfrm: fix slab-use-after-free in decode_session6 
[ Upstream commit 53223f2ed1 ]

When the xfrm device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when the xfrm device sends IPv6 packets.

The stack information is as follows:
BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
Read of size 1 at addr ffff8881111458ef by task swapper/3/0
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xd9/0x150
print_address_description.constprop.0+0x2c/0x3c0
kasan_report+0x11d/0x130
decode_session6+0x103f/0x1890
__xfrm_decode_session+0x54/0xb0
xfrmi_xmit+0x173/0x1ca0
dev_hard_start_xmit+0x187/0x700
sch_direct_xmit+0x1a3/0xc30
__qdisc_run+0x510/0x17a0
__dev_queue_xmit+0x2215/0x3b10
neigh_connected_output+0x3c2/0x550
ip6_finish_output2+0x55a/0x1550
ip6_finish_output+0x6b9/0x1270
ip6_output+0x1f1/0x540
ndisc_send_skb+0xa63/0x1890
ndisc_send_rs+0x132/0x6f0
addrconf_rs_timer+0x3f1/0x870
call_timer_fn+0x1a0/0x580
expire_timers+0x29b/0x4b0
run_timer_softirq+0x326/0x910
__do_softirq+0x1d4/0x905
irq_exit_rcu+0xb7/0x120
sysvec_apic_timer_interrupt+0x97/0xc0
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:intel_idle_hlt+0x23/0x30
Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 <fa> 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4
RSP: 0018:ffffc90000197d78 EFLAGS: 00000246
RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5
RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50
RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d
R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000
cpuidle_enter_state+0xd3/0x6f0
cpuidle_enter+0x4e/0xa0
do_idle+0x2fe/0x3c0
cpu_startup_entry+0x18/0x20
start_secondary+0x200/0x290
secondary_startup_64_no_verify+0x167/0x16b
</TASK>
Allocated by task 939:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x7f/0x90
kmem_cache_alloc_node+0x1cd/0x410
kmalloc_reserve+0x165/0x270
__alloc_skb+0x129/0x330
inet6_ifa_notify+0x118/0x230
__ipv6_ifa_notify+0x177/0xbe0
addrconf_dad_completed+0x133/0xe00
addrconf_dad_work+0x764/0x1390
process_one_work+0xa32/0x16f0
worker_thread+0x67d/0x10c0
kthread+0x344/0x440
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888111145800
which belongs to the cache skbuff_small_head of size 640
The buggy address is located 239 bytes inside of
freed 640-byte region [ffff888111145800, ffff888111145a80)

As commit f855691975 ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.

Fixes: f855691975 ("xfrm6: Fix the nexthdr offset in _decode_session6.")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-08-28 23:27:01 +08:00
arch powerpc/rtas_flash: allow user copy to flash block cache objects 2023-08-28 23:27:00 +08:00
block block/partition: fix signedness issue for Amiga partitions 2023-08-20 15:24:51 +08:00
certs certs/blacklist_hashes.c: fix const confusion in certs blacklist 2023-04-19 17:50:34 +08:00
crypto KEYS: asymmetric: Copy sig and digest in public_key_verify_signature() 2023-08-20 15:21:12 +08:00
Documentation iommu/arm-smmu-v3: Document nesting-related errata 2023-08-20 16:01:31 +08:00
drivers i2c: designware: Handle invalid SMBus block data response length value 2023-08-28 23:27:01 +08:00
fs btrfs: fix BUG_ON condition in btrfs_cancel_balance 2023-08-28 23:27:01 +08:00
include media: v4l2-mem2mem: add lock to protect parameter num_rdy 2023-08-28 23:26:55 +08:00
init x86/mm: Initialize text poking earlier 2023-08-20 16:01:29 +08:00
io_uring io_uring: correct check for O_TMPFILE 2023-08-20 16:01:40 +08:00
ipc ipc/sem: Fix dangling sem_array access in semtimedop race 2023-04-19 17:56:54 +08:00
kernel ring-buffer: Do not swap cpu_buffer during resize process 2023-08-28 23:26:57 +08:00
lib test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation 2023-08-20 15:24:43 +08:00
LICENSES LICENSES/dual/CC-BY-4.0: Git rid of "smart quotes" 2021-07-15 06:31:24 -06:00
mm mm/damon/ops-common: atomically test and clear young on ptes and pmds 2023-08-20 15:24:58 +08:00
net xfrm: fix slab-use-after-free in decode_session6 2023-08-28 23:27:01 +08:00
samples samples: ftrace: Save required argument registers in sample trampolines 2023-08-20 16:01:05 +08:00
scripts kbuild: Disable GCOV for *.mod.o 2023-08-20 15:24:38 +08:00
security security: keys: Modify mismatched function name 2023-08-20 16:01:12 +08:00
sound ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() 2023-08-28 23:26:57 +08:00
tools selftests: forwarding: tc_actions: Use ncat instead of nc 2023-08-28 23:26:54 +08:00
usr usr/include/Makefile: add linux/nfc.h to the compile-test coverage 2023-04-19 17:44:58 +08:00
virt KVM: Grab a reference to KVM for VM and vCPU stats file descriptors 2023-08-20 16:01:23 +08:00
.clang-format clang-format: Update with the latest for_each macro list 2021-05-12 23:32:39 +02:00
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore .gitignore: ignore only top-level modules.builtin 2021-05-02 00:43:35 +09:00
.mailmap mailmap: add Andrej Shadura 2021-10-18 20:22:03 -10:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS MAINTAINERS: Move Daniel Drake to credits 2021-09-21 08:34:58 +03:00
Kbuild kbuild: rename hostprogs-y/always to hostprogs/always-y 2020-02-04 01:53:07 +09:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS iio: stx104: Move to addac subdirectory 2023-08-28 23:26:58 +08:00
Makefile Linux 5.15.127 2023-08-20 16:01:45 +08:00
README
stfsync.txt add file to track last rebase commit from stf 2023-08-21 00:12:49 +08:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.