]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1baed8f) | patch
net: ipv6: fix skb_over_panic in __ip6_append_data
authorTadeusz Struk <tadeusz.struk@linaro.org>
Thu, 10 Mar 2022 23:25:38 +0000 (15:25 -0800)
committerStefan Bader <stefan.bader@canonical.com>
Wed, 27 Apr 2022 09:56:13 +0000 (11:56 +0200)
commite960472b876d47b6d543d06fae473a99191bdbfb
treee52416ff1b1d727d6673466c271e55eceb2c9511tree
parent1baed8f6011db5b2f6c524705552d2cbffebf552commit | diff
net: ipv6: fix skb_over_panic in __ip6_append_data

BugLink: https://bugs.launchpad.net/bugs/1969106
commit 5e34af4142ffe68f01c8a9acae83300f8911e20c upstream.

Syzbot found a kernel bug in the ipv6 stack:
LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580
The reproducer triggers it by sending a crafted message via sendmmsg()
call, which triggers skb_over_panic, and crashes the kernel:

skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575
head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0
dev:<NULL>

Update the check that prevents an invalid packet with MTU equal
to the fregment header size to eat up all the space for payload.

The reproducer can be found here:
LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000
Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Acked-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20220310232538.1044947-1-tadeusz.struk@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2317fd3b126c448fd0bbb3faa77106a7eb58ce92)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
net/ipv6/ip6_output.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror