Patch "mISDN: fix MISDN_TIME_STAMP handling" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    mISDN: fix MISDN_TIME_STAMP handling

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     misdn-fix-misdn_time_stamp-handling.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit aca69d4f5636f6e33b8c9f3bd6f256e436f06035
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Mon Apr 8 08:28:44 2024 +0000

    mISDN: fix MISDN_TIME_STAMP handling
    
    [ Upstream commit 138b787804f4a10417618e8d1e6e2700539fd88c ]
    
    syzbot reports one unsafe call to copy_from_sockptr() [1]
    
    Use copy_safe_from_sockptr() instead.
    
    [1]
    
     BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
     BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
     BUG: KASAN: slab-out-of-bounds in data_sock_setsockopt+0x46c/0x4cc drivers/isdn/mISDN/socket.c:417
    Read of size 4 at addr ffff0000c6d54083 by task syz-executor406/6167
    
    CPU: 1 PID: 6167 Comm: syz-executor406 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
    Call trace:
      dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
      show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:377 [inline]
      print_report+0x178/0x518 mm/kasan/report.c:488
      kasan_report+0xd8/0x138 mm/kasan/report.c:601
      __asan_report_load_n_noabort+0x1c/0x28 mm/kasan/report_generic.c:391
      copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
      copy_from_sockptr include/linux/sockptr.h:55 [inline]
      data_sock_setsockopt+0x46c/0x4cc drivers/isdn/mISDN/socket.c:417
      do_sock_setsockopt+0x2a0/0x4e0 net/socket.c:2311
      __sys_setsockopt+0x128/0x1a8 net/socket.c:2334
      __do_sys_setsockopt net/socket.c:2343 [inline]
      __se_sys_setsockopt net/socket.c:2340 [inline]
      __arm64_sys_setsockopt+0xb8/0xd4 net/socket.c:2340
      __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
      invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
      el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
      do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
      el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
      el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
      el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
    
    Fixes: 1b2b03f8e514 ("Add mISDN core files")
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
    Cc: Karsten Keil <isdn@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240408082845.3957374-3-edumazet@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
index 2776ca5fc33f3..b215b28cad7b7 100644
--- a/drivers/isdn/mISDN/socket.c
+++ b/drivers/isdn/mISDN/socket.c
@@ -401,23 +401,23 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 }
 
 static int data_sock_setsockopt(struct socket *sock, int level, int optname,
-				sockptr_t optval, unsigned int len)
+				sockptr_t optval, unsigned int optlen)
 {
 	struct sock *sk = sock->sk;
 	int err = 0, opt = 0;
 
 	if (*debug & DEBUG_SOCKET)
 		printk(KERN_DEBUG "%s(%p, %d, %x, optval, %d)\n", __func__, sock,
-		       level, optname, len);
+		       level, optname, optlen);
 
 	lock_sock(sk);
 
 	switch (optname) {
 	case MISDN_TIME_STAMP:
-		if (copy_from_sockptr(&opt, optval, sizeof(int))) {
-			err = -EFAULT;
+		err = copy_safe_from_sockptr(&opt, sizeof(opt),
+					     optval, optlen);
+		if (err)
 			break;
-		}
 
 		if (opt)
 			_pms(sk)->cmask |= MISDN_TIME_STAMP;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux