On Thu, Mar 17, 2022 at 10:09:52AM -0700, Tadeusz Struk wrote:
On 3/17/22 09:56, Greg KH wrote:
On Thu, Mar 17, 2022 at 09:41:59AM -0700, Tadeusz Struk wrote:
From: Steffen Klassert steffen.klassert@secunet.com
Plese apply this on 5.10.y stable as well as it fixes the following syzbot issues:
LINK: https://syzkaller.appspot.com/bug?id=517fa734b92b7db404c409b924cf5c997640e32... LINK: https://syzkaller.appspot.com/bug?id=57375340ab81a369df5da5eb16cfcd4aef9dfb9...
Here is a working patch. ---8<---
The maximum message size that can be send is bigger than the maximum site that skb_page_frag_refill can allocate. So it is possible to write beyond the allocated buffer.
Fix this by doing a fallback to COW in that case.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Reported-by: valis sec@valis.email Reported-by: syzbot+93ab2623dcb5c73eda9f@syzkaller.appspotmail.com Signed-off-by: Steffen Klassert steffen.klassert@secunet.com Signed-off-by: Tadeusz Struk tadeusz.struk@linaro.org
include/net/esp.h | 2 ++ include/net/sock.h | 1 + net/ipv4/esp4.c | 5 +++++ net/ipv6/esp6.c | 5 +++++ 4 files changed, 13 insertions(+)
What is the git commit id of this commit in Linus's tree?
It's this one:
ebe48d368e97 ("esp: Fix possible buffer overflow in ESP transformation")
Sorry I forgot to include it in the backport.
Now queued up, thanks.
gre gk-h