summaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorLorenz Bauer <lmb@isovalent.com>2023-08-15 09:53:41 +0100
committerMartin KaFai Lau <martin.lau@kernel.org>2023-08-15 13:57:51 -0700
commit8897562f67b3e61ad736cd5c9f307447d33280e4 (patch)
treed407c79392c986d17b4b16d9df68bcc4edbe31f1 /kernel
parentdda770407b817a7cfa72517905857f489cfc5e59 (diff)
downloadlinux-stable-8897562f67b3e61ad736cd5c9f307447d33280e4.tar.gz
linux-stable-8897562f67b3e61ad736cd5c9f307447d33280e4.tar.bz2
linux-stable-8897562f67b3e61ad736cd5c9f307447d33280e4.zip
net: Fix slab-out-of-bounds in inet[6]_steal_sock
Kumar reported a KASAN splat in tcp_v6_rcv: bash-5.2# ./test_progs -t btf_skc_cls_ingress ... [ 51.810085] BUG: KASAN: slab-out-of-bounds in tcp_v6_rcv+0x2d7d/0x3440 [ 51.810458] Read of size 2 at addr ffff8881053f038c by task test_progs/226 The problem is that inet[6]_steal_sock accesses sk->sk_protocol without accounting for request or timewait sockets. To fix this we can't just check sock_common->skc_reuseport since that flag is present on timewait sockets. Instead, add a fullsock check to avoid the out of bands access of sk_protocol. Fixes: 9c02bec95954 ("bpf, net: Support SO_REUSEPORT sockets with bpf_sk_assign") Reported-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Signed-off-by: Lorenz Bauer <lmb@isovalent.com> Link: https://lore.kernel.org/r/20230815-bpf-next-v2-1-95126eaa4c1b@isovalent.com Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Diffstat (limited to 'kernel')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-05 22:22:39 +0000