Eric Lee / smarc-fsl-linux-kernel

15 Dec, 2015

1 commit

  • 79462ad02   net: add validation for the socket syscall protocol argument ... Browse Code »

    郭永刚 reported that one could simply crash the kernel as root by
    using a simple program:

    int socket_fd;
    struct sockaddr_in addr;
    addr.sin_port = 0;
    addr.sin_addr.s_addr = INADDR_ANY;
    addr.sin_family = 10;

    socket_fd = socket(10,3,0x40000000);
    connect(socket_fd , &addr,16);

    AF_INET, AF_INET6 sockets actually only support 8-bit protocol
    identifiers. inet_sock's skc_protocol field thus is sized accordingly,
    thus larger protocol identifiers simply cut off the higher bits and
    store a zero in the protocol fields.

    This could lead to e.g. NULL function pointer because as a result of
    the cut off inet_num is zero and we call down to inet_autobind, which
    is NULL for raw sockets.

    kernel: Call Trace:
    kernel: [] ? inet_autobind+0x2e/0x70
    kernel: [] inet_dgram_connect+0x54/0x80
    kernel: [] SYSC_connect+0xd9/0x110
    kernel: [] ? ptrace_notify+0x5b/0x80
    kernel: [] ? syscall_trace_enter_phase2+0x108/0x200
    kernel: [] SyS_connect+0xe/0x10
    kernel: [] tracesys_phase2+0x84/0x89

    I found no particular commit which introduced this problem.

    CVE: CVE-2015-8543
    Cc: Cong Wang
    Reported-by: 郭永刚
    Signed-off-by: Hannes Frederic Sowa
    Signed-off-by: David S. Miller

    Hannes Frederic Sowa
     

16 Jul, 2015

1 commit

29 Jun, 2015

1 commit

19 Jun, 2015

1 commit

11 May, 2015

1 commit

06 Mar, 2015

1 commit

  • 787fb2bd4   ax25: Fix the build when CONFIG_INET is disabled ... Browse Code »

    >
    > >> net/ax25/ax25_ip.c:225:26: error: unknown type name 'sturct'
    > netdev_tx_t ax25_ip_xmit(sturct sk_buff *skb)
    > ^
    >
    > vim +/sturct +225 net/ax25/ax25_ip.c
    >
    > 219 unsigned short type, const void *daddr,
    > 220 const void *saddr, unsigned int len)
    > 221 {
    > 222 return -AX25_HEADER_LEN;
    > 223 }
    > 224
    > > 225 netdev_tx_t ax25_ip_xmit(sturct sk_buff *skb)
    > 226 {
    > 227 kfree_skb(skb);
    > 228 return NETDEV_TX_OK;

    Ooops I misspelled struct...

    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    kbuild test robot
     

04 Mar, 2015

1 commit

  • 1d5da757d   ax25: Stop using magic neighbour cache operations. ... Browse Code »

    Before the ax25 stack calls dev_queue_xmit it always calls
    ax25_type_trans which sets skb->protocol to ETH_P_AX25.

    Which means that by looking at the protocol type it is possible to
    detect IP packets that have not been munged by the ax25 stack in
    ndo_start_xmit and call a function to munge them.

    Rename ax25_neigh_xmit to ax25_ip_xmit and tweak the return type and
    value to be appropriate for an ndo_start_xmit function.

    Update all of the ax25 devices to test the protocol type for ETH_P_IP
    and return ax25_ip_xmit as the first thing they do. This preserves
    the existing semantics of IP packet processing, but the timing will be
    a little different as the IP packets now pass through the qdisc layer
    before reaching the ax25 ip packet processing.

    Remove the now unnecessary ax25 neighbour table operations.

    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     

03 Mar, 2015

7 commits

  • 945db424b   ax25: Stop depending on arp_find ... Browse Code »

    Have ax25_neigh_output perform ordinary arp resolution before calling
    ax25_neigh_xmit.

    Call dev_hard_header in ax25_neigh_output with a destination address so
    it will not fail, and the destination mac address will not need to be
    set in ax25_neigh_xmit.

    Remove arp_find from ax25_neigh_xmit (the ordinary arp resolution added
    to ax25_neigh_output removes the need for calling arp_find).

    Document how close ax25_neigh_output is to neigh_resolve_output.

    Cc: Ralf Baechle
    Cc: linux-hams@vger.kernel.org
    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     
  • abb7b755d   ax25: Stop calling/abusing dev_rebuild_header ... Browse Code »

    - Rename ax25_rebuild_header to ax25_neigh_xmit and call it from
    ax25_neigh_output directly. The rename is to make it clear
    that this is not a rebuild_header operation.

    - Remove ax25_rebuild_header from ax25_header_ops.

    Cc: Ralf Baechle
    Cc: linux-hams@vger.kernel.org
    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     
  • def677536   neigh: Move neigh_compat_output into ax25_ip.c ... Browse Code »

    The only caller is now is ax25_neigh_construct so move
    neigh_compat_output into ax25_ip.c make it static and rename it
    ax25_neigh_output.

    Cc: Ralf Baechle
    Cc: linux-hams@vger.kernel.org
    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     
  • 3b6a94bed   ax25: Refactor to use private neighbour operations. ... Browse Code »

    AX25 already has it's own private arp cache operations to isolate
    it's abuse of dev_rebuild_header to transmit packets. Add a function
    ax25_neigh_construct that will allow all of the ax25 devices to
    force using these operations, so that the generic arp code does
    not need to.

    Cc: Ralf Baechle
    Cc: linux-hams@vger.kernel.org
    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     
  • 46d4e47ab   ax25: Make ax25_header and ax25_rebuild_header static ... Browse Code »

    The only user is in ax25_ip.c so stop exporting these functions.

    Cc: Ralf Baechle
    Cc: linux-hams@vger.kernel.org
    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     
  • e18dbd059   ax25: In ax25_rebuild_header add missing kfree_skb ... Browse Code »

    In the unlikely (impossible?) event that we attempt to transmit
    an ax25 packet over a non-ax25 device free the skb so we don't
    leak it.

    Cc: Ralf Baechle
    Cc: linux-hams@vger.kernel.org
    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     
  • 1b7841404   net: Remove iocb argument from sendmsg and recvmsg ... Browse Code »

    After TIPC doesn't depend on iocb argument in its internal
    implementations of sendmsg() and recvmsg() hooks defined in proto
    structure, no any user is using iocb argument in them at all now.
    Then we can drop the redundant iocb argument completely from kinds of
    implementations of both sendmsg() and recvmsg() in the entire
    networking stack.

    Cc: Christoph Hellwig
    Suggested-by: Al Viro
    Signed-off-by: Ying Xue
    Signed-off-by: David S. Miller

    Ying Xue
     

24 Nov, 2014

1 commit

06 Nov, 2014

1 commit

  • 51f3d02b9   net: Add and use skb_copy_datagram_msg() helper. ... Browse Code »

    This encapsulates all of the skb_copy_datagram_iovec() callers
    with call argument signature "skb, offset, msghdr->msg_iov, length".

    When we move to iov_iters in the networking, the iov_iter object will
    sit in the msghdr.

    Having a helper like this means there will be less places to touch
    during that transformation.

    Based upon descriptions and patch from Al Viro.

    Signed-off-by: David S. Miller

    David S. Miller
     

12 Apr, 2014

1 commit

  • 676d23690   net: Fix use after free by removing length arg from sk_data_ready callbacks. ... Browse Code »

    Several spots in the kernel perform a sequence like:

    skb_queue_tail(&sk->s_receive_queue, skb);
    sk->sk_data_ready(sk, skb->len);

    But at the moment we place the SKB onto the socket receive queue it
    can be consumed and freed up. So this skb->len access is potentially
    to freed up memory.

    Furthermore, the skb->len can be modified by the consumer so it is
    possible that the value isn't accurate.

    And finally, no actual implementation of this callback actually uses
    the length argument. And since nobody actually cared about it's
    value, lots of call sites pass arbitrary values in such as '0' and
    even '1'.

    So just remove the length argument from the callback, that way there
    is no confusion whatsoever and all of these use-after-free cases get
    fixed as a side effect.

    Based upon a patch by Eric Dumazet and his suggestion to audit this
    issue tree-wide.

    Signed-off-by: David S. Miller

    David S. Miller
     

19 Jan, 2014

1 commit

  • 342dfc306   net: add build-time checks for msg->msg_name size ... Browse Code »

    This is a follow-up patch to f3d3342602f8bc ("net: rework recvmsg
    handler msg_name and msg_namelen logic").

    DECLARE_SOCKADDR validates that the structure we use for writing the
    name information to is not larger than the buffer which is reserved
    for msg->msg_name (which is 128 bytes). Also use DECLARE_SOCKADDR
    consistently in sendmsg code paths.

    Signed-off-by: Steffen Hurrle
    Suggested-by: Hannes Frederic Sowa
    Acked-by: Hannes Frederic Sowa
    Signed-off-by: David S. Miller

    Steffen Hurrle
     

21 Nov, 2013

1 commit

19 Oct, 2013

1 commit

  • 768877537   ax25: cleanup a range test ... Browse Code »

    The current test works fine in practice. The "amount" variable is
    actually used as a boolean so negative values or any non-zero values
    count as "true". However since we don't allow numbers greater than one,
    let's not allow negative numbers either.

    Signed-off-by: Dan Carpenter
    Signed-off-by: David S. Miller

    Dan Carpenter
     

13 Jun, 2013

1 commit

  • fe2c6338f   net: Convert uses of typedef ctl_table to struct ctl_table ... Browse Code »

    Reduce the uses of this unnecessary typedef.

    Done via perl script:

    $ git grep --name-only -w ctl_table net | \
    xargs perl -p -i -e '\
    sub trim { my ($local) = @_; $local =~ s/(^\s+|\s+$)//g; return $local; } \
    s/\b(?<!struct\s)ctl_table\b(\s*\*\s*|\s+\w+)/"struct ctl_table " . trim($1)/ge'

    Reflow the modified lines that now exceed 80 columns.

    Signed-off-by: Joe Perches
    Signed-off-by: David S. Miller

    Joe Perches
     

29 May, 2013

1 commit

  • 351638e7d   net: pass info struct via netdevice notifier ... Browse Code »

    So far, only net_device * could be passed along with netdevice notifier
    event. This patch provides a possibility to pass custom structure
    able to provide info that event listener needs to know.

    Signed-off-by: Jiri Pirko

    v2->v3: fix typo on simeth
    shortened dev_getter
    shortened notifier_info struct name
    v1->v2: fix notifier_call parameter in call_netdevice_notifier()
    Signed-off-by: David S. Miller

    Jiri Pirko
     

08 Apr, 2013

1 commit

  • ef3313e84   ax25: fix info leak via msg_name in ax25_recvmsg() ... Browse Code »

    When msg_namelen is non-zero the sockaddr info gets filled out, as
    requested, but the code fails to initialize the padding bytes of struct
    sockaddr_ax25 inserted by the compiler for alignment. Additionally the
    msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
    not always filled up to this size.

    Both issues lead to the fact that the code will leak uninitialized
    kernel stack bytes in net/socket.c.

    Fix both issues by initializing the memory with memset(0).

    Cc: Ralf Baechle
    Signed-off-by: Mathias Krause
    Signed-off-by: David S. Miller

    Mathias Krause
     

28 Feb, 2013

1 commit

  • b67bfe0d4   hlist: drop the node parameter from iterators ... Browse Code »

    I'm not sure why, but the hlist for each entry iterators were conceived

    list_for_each_entry(pos, head, member)

    The hlist ones were greedy and wanted an extra parameter:

    hlist_for_each_entry(tpos, pos, head, member)

    Why did they need an extra pos parameter? I'm not quite sure. Not only
    they don't really need it, it also prevents the iterator from looking
    exactly like the list iterator, which is unfortunate.

    Besides the semantic patch, there was some manual work required:

    - Fix up the actual hlist iterators in linux/list.h
    - Fix up the declaration of other iterators based on the hlist ones.
    - A very small amount of places were using the 'node' parameter, this
    was modified to use 'obj->member' instead.
    - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
    properly, so those had to be fixed up manually.

    The semantic patch which is mostly the work of Peter Senna Tschudin is here:

    @@
    iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

    type T;
    expression a,c,d,e;
    identifier b;
    statement S;
    @@

    -T b;

    [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
    [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
    [akpm@linux-foundation.org: checkpatch fixes]
    [akpm@linux-foundation.org: fix warnings]
    [akpm@linux-foudnation.org: redo intrusive kvm changes]
    Tested-by: Peter Senna Tschudin
    Acked-by: Paul E. McKenney
    Signed-off-by: Sasha Levin
    Cc: Wu Fengguang
    Cc: Marcelo Tosatti
    Cc: Gleb Natapov
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Sasha Levin
     

19 Feb, 2013

2 commits

  • ece31ffd5   net: proc: change proc_net_remove to remove_proc_entry ... Browse Code »

    proc_net_remove is only used to remove proc entries
    that under /proc/net,it's not a general function for
    removing proc entries of netns. if we want to remove
    some proc entries which under /proc/net/stat/, we still
    need to call remove_proc_entry.

    this patch use remove_proc_entry to replace proc_net_remove.
    we can remove proc_net_remove after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     
  • d4beaa66a   net: proc: change proc_net_fops_create to proc_create ... Browse Code »

    Right now, some modules such as bonding use proc_create
    to create proc entries under /proc/net/, and other modules
    such as ipv4 use proc_net_fops_create.

    It looks a little chaos.this patch changes all of
    proc_net_fops_create to proc_create. we can remove
    proc_net_fops_create after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     

15 Aug, 2012

1 commit

20 Jul, 2012

1 commit

17 Jul, 2012

1 commit

09 Jul, 2012

1 commit

04 Jun, 2012

1 commit

24 Apr, 2012

1 commit

21 Apr, 2012

2 commits

  • 0ca7a4c87   net ax25: Simplify and cleanup the ax25 sysctl handling. ... Browse Code »
    44

    Don't register/unregister every ax25 table in a batch. Instead register
    and unregister per device ax25 sysctls as ax25 devices come and go.

    This moves ax25 to be a completely modern sysctl user. Registering the
    sysctls in just the initial network namespace, removing the use of
    .child entries that are no longer natively supported by the sysctl core
    and taking advantage of the fact that there are no longer any ordering
    constraints between registering and unregistering different sysctl
    tables.

    Signed-off-by: Eric W. Biederman
    Acked-by: Pavel Emelyanov
    Signed-off-by: David S. Miller

    Eric W. Biederman
     
  • 5dd3df105   net: Move all of the network sysctls without a namespace into init_net. ... Browse Code »

    This makes it clearer which sysctls are relative to your current network
    namespace.

    This makes it a little less error prone by not exposing sysctls for the
    initial network namespace in other namespaces.

    This is the same way we handle all of our other network interfaces to
    userspace and I can't honestly remember why we didn't do this for
    sysctls right from the start.

    Signed-off-by: Eric W. Biederman
    Acked-by: Pavel Emelyanov
    Signed-off-by: David S. Miller

    Eric W. Biederman
     

20 Apr, 2012

1 commit

  • 3adadc08c   net ax25: Reorder ax25_exit to remove races. ... Browse Code »
    45

    While reviewing the sysctl code in ax25 I spotted races in ax25_exit
    where it is possible to receive notifications and packets after already
    freeing up some of the data structures needed to process those
    notifications and updates.

    Call unregister_netdevice_notifier early so that the rest of the cleanup
    code does not need to deal with network devices. This takes advantage
    of my recent enhancement to unregister_netdevice_notifier to send
    unregister notifications of all network devices that are current
    registered.

    Move the unregistration for packet types, socket types and protocol
    types before we cleanup any of the ax25 data structures to remove the
    possibilities of other races.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: David S. Miller

    Eric W. Biederman
     

16 Apr, 2012

1 commit

29 Mar, 2012

1 commit

29 Dec, 2011

1 commit

  • ba1cffe02   ax25: avoid overflows in ax25_setsockopt() ... Browse Code »

    Commit be639ac6 ("NET: AX.25: Check ioctl arguments to avoid overflows
    further down the road") rejects very large arguments, but doesn't
    completely fix overflows on 64-bit systems. Consider the AX25_T2 case.

    int opt;
    ...
    if (opt < 1 || opt > ULONG_MAX / HZ) {
    res = -EINVAL;
    break;
    }
    ax25->t2 = opt * HZ;

    The 32-bit multiplication opt * HZ would overflow before being assigned
    to 64-bit ax25->t2. This patch changes "opt" to unsigned long.

    Signed-off-by: Xi Wang
    Cc: Ralf Baechle
    Signed-off-by: David S. Miller

    Xi Wang
     

29 Nov, 2011

1 commit

  • be639ac69   NET: AX.25: Check ioctl arguments to avoid overflows further down the road. ... Browse Code »

    Very large, nonsenical arguments or use in very extreme conditions could
    result in integer overflows. Check ioctls arguments to avoid such
    overflows and return -EINVAL for too large arguments.

    To allow the use of AX.25 for even the most extreme setup (think packet
    radio to the Phase 5E mars probe) we make no further attempt to clamp the
    argument range.

    Originally reported by Fan Long and a first patch
    was sent by Xi Wang .

    Signed-off-by: Ralf Baechle
    Cc: Xi Wang
    Cc: Joerg Reuter
    Cc: Alan Cox
    Cc: Thomas Osterried
    Signed-off-by: David S. Miller

    Ralf Baechle
     

01 Nov, 2011

1 commit