git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Cong Wang <xiyou.wangcong@gmail.com>
	Wed, 22 Jan 2020 23:42:02 +0000 (15:42 -0800)
committer	Khalid Elmously <khalid.elmously@canonical.com>
	Fri, 6 Mar 2020 07:13:20 +0000 (02:13 -0500)
commit	8d174032b16d2e402f8062ab76901fdda6270fef
tree	068397f21d57a724854d7127119735a66e2e5aa8	tree
parent	96597be2067fbef6639619276b57d5a3be1e0e81	commit \| diff

net_sched: fix datalen for ematch

BugLink: https://bugs.launchpad.net/bugs/1864261
[ Upstream commit 61678d28d4a45ef376f5d02a839cc37509ae9281 ]

syzbot reported an out-of-bound access in em_nbyte. As initially
analyzed by Eric, this is because em_nbyte sets its own em->datalen
in em_nbyte_change() other than the one specified by user, but this
value gets overwritten later by its caller tcf_em_validate().
We should leave em->datalen untouched to respect their choices.

I audit all the in-tree ematch users, all of those implement
->change() set em->datalen, so we can just avoid setting it twice
in this case.

Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>