Patch "netdevsim: prevent bad user input in nsim_dev_health_break_write()" has been added to the 6.12-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    netdevsim: prevent bad user input in nsim_dev_health_break_write()

to the 6.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch
and it can be found in the queue-6.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 30517f0d96763083c53aadfab68ca54f9286da99
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Fri Dec 13 17:25:18 2024 +0000

    netdevsim: prevent bad user input in nsim_dev_health_break_write()
    
    [ Upstream commit ee76746387f6233bdfa93d7406990f923641568f ]
    
    If either a zero count or a large one is provided, kernel can crash.
    
    Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters")
    Reported-by: syzbot+ea40e4294e58b0292f74@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@xxxxxxxxxx/T/#u
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Cc: Jiri Pirko <jiri@xxxxxxxxxx>
    Reviewed-by: Joe Damato <jdamato@xxxxxxxxxx>
    Link: https://patch.msgid.link/20241213172518.2415666-1-edumazet@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/netdevsim/health.c b/drivers/net/netdevsim/health.c
index 70e8bdf34be9..688f05316b5e 100644
--- a/drivers/net/netdevsim/health.c
+++ b/drivers/net/netdevsim/health.c
@@ -149,6 +149,8 @@ static ssize_t nsim_dev_health_break_write(struct file *file,
 	char *break_msg;
 	int err;
 
+	if (count == 0 || count > PAGE_SIZE)
+		return -EINVAL;
 	break_msg = memdup_user_nul(data, count);
 	if (IS_ERR(break_msg))
 		return PTR_ERR(break_msg);




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux