| From foo@baz Mon 27 Jan 2020 04:06:27 PM CET |
| From: Cong Wang <xiyou.wangcong@gmail.com> |
| Date: Wed, 22 Jan 2020 15:42:02 -0800 |
| Subject: net_sched: fix datalen for ematch |
| |
| From: Cong Wang <xiyou.wangcong@gmail.com> |
| |
| [ Upstream commit 61678d28d4a45ef376f5d02a839cc37509ae9281 ] |
| |
| syzbot reported an out-of-bound access in em_nbyte. As initially |
| analyzed by Eric, this is because em_nbyte sets its own em->datalen |
| in em_nbyte_change() other than the one specified by user, but this |
| value gets overwritten later by its caller tcf_em_validate(). |
| We should leave em->datalen untouched to respect their choices. |
| |
| I audit all the in-tree ematch users, all of those implement |
| ->change() set em->datalen, so we can just avoid setting it twice |
| in this case. |
| |
| Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com |
| Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com |
| Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") |
| Cc: Eric Dumazet <eric.dumazet@gmail.com> |
| Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> |
| Reviewed-by: Eric Dumazet <edumazet@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/sched/ematch.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/sched/ematch.c |
| +++ b/net/sched/ematch.c |
| @@ -267,12 +267,12 @@ static int tcf_em_validate(struct tcf_pr |
| } |
| em->data = (unsigned long) v; |
| } |
| + em->datalen = data_len; |
| } |
| } |
| |
| em->matchid = em_hdr->matchid; |
| em->flags = em_hdr->flags; |
| - em->datalen = data_len; |
| em->net = net; |
| |
| err = 0; |