WSL2-Linux-Kernel/net/llc
Pavel Skripkin c7c9d2102c net: llc: fix skb_over_panic
Syzbot reported skb_over_panic() in llc_pdu_init_as_xid_cmd(). The
problem was in wrong LCC header manipulations.

Syzbot's reproducer tries to send XID packet. llc_ui_sendmsg() is
doing following steps:

	1. skb allocation with size = len + header size
		len is passed from userpace and header size
		is 3 since addr->sllc_xid is set.

	2. skb_reserve() for header_len = 3
	3. filling all other space with memcpy_from_msg()

Ok, at this moment we have fully loaded skb, only headers needs to be
filled.

Then code comes to llc_sap_action_send_xid_c(). This function pushes 3
bytes for LLC PDU header and initializes it. Then comes
llc_pdu_init_as_xid_cmd(). It initalizes next 3 bytes *AFTER* LLC PDU
header and call skb_push(skb, 3). This looks wrong for 2 reasons:

	1. Bytes rigth after LLC header are user data, so this function
	   was overwriting payload.

	2. skb_push(skb, 3) call can cause skb_over_panic() since
	   all free space was filled in llc_ui_sendmsg(). (This can
	   happen is user passed 686 len: 686 + 14 (eth header) + 3 (LLC
	   header) = 703. SKB_DATA_ALIGN(703) = 704)

So, in this patch I added 2 new private constansts: LLC_PDU_TYPE_U_XID
and LLC_PDU_LEN_U_XID. LLC_PDU_LEN_U_XID is used to correctly reserve
header size to handle LLC + XID case. LLC_PDU_TYPE_U_XID is used by
llc_pdu_header_init() function to push 6 bytes instead of 3. And finally
I removed skb_push() call from llc_pdu_init_as_xid_cmd().

This changes should not affect other parts of LLC, since after
all steps we just transmit buffer.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+5e5a981ad7cc54c4b2b4@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-07-27 13:05:56 +01:00
..
Kconfig net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
Makefile llc: fix whitespace issues 2018-07-24 14:10:42 -07:00
af_llc.c net: llc: fix skb_over_panic 2021-07-27 13:05:56 +01:00
llc_c_ac.c llc: fix sk_buff leak in llc_conn_service() 2019-10-08 13:23:05 -07:00
llc_c_ev.c net: llc: Correct some function names in header 2021-03-26 15:24:14 -07:00
llc_c_st.c llc: Make llc_conn_ev_qfyr_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_conn.c net: llc: Fix kerneldoc warnings 2020-10-30 11:34:09 -07:00
llc_core.c llc: llc_core.c: COuple of typo fixes 2021-03-28 17:31:13 -07:00
llc_if.c llc: fix another potential sk_buff leak in llc_ui_sendmsg() 2019-10-08 13:23:05 -07:00
llc_input.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_output.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 281 2019-06-05 17:36:36 +02:00
llc_pdu.c net: llc: Correct function name llc_pdu_set_pf_bit() in header 2021-03-26 15:24:14 -07:00
llc_proc.c net: Add missing annotation for llc_seq_start() 2020-02-24 13:26:49 -08:00
llc_s_ac.c net: llc: fix skb_over_panic 2021-07-27 13:05:56 +01:00
llc_s_ev.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
llc_s_st.c llc: Make llc_sap_action_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_sap.c net: llc: kerneldoc fixes 2020-07-13 17:20:39 -07:00
llc_station.c llc2: Remove redundant assignment to rc 2021-04-27 14:16:14 -07:00
sysctl_net_llc.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00