This is a note to let you know that I've just added the patch titled net: fix possible out-of-bound read in skb_network_protocol() to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Tue Apr 10 23:20:08 CEST 2018 From: Eric Dumazet <edumazet@xxxxxxxxxx> Date: Mon, 26 Mar 2018 08:08:07 -0700 Subject: net: fix possible out-of-bound read in skb_network_protocol() From: Eric Dumazet <edumazet@xxxxxxxxxx> [ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ] skb mac header is not necessarily set at the time skb_network_protocol() is called. Use skb->data instead. BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739 Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242 CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23c/0x360 mm/kasan/report.c:412 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443 skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739 harmonize_features net/core/dev.c:2924 [inline] netif_skb_features+0x509/0x9b0 net/core/dev.c:3011 validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084 validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142 packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xca/0x110 net/socket.c:639 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047 __sys_sendmsg+0xe5/0x210 net/socket.c:2081 Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()") Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx> Cc: Pravin B Shelar <pshelar@xxxxxxx> Reported-by: Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/core/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2696,7 +2696,7 @@ __be16 skb_network_protocol(struct sk_bu if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr)))) return 0; - eth = (struct ethhdr *)skb_mac_header(skb); + eth = (struct ethhdr *)skb->data; type = eth->h_proto; } Patches currently in stable-queue which might be from edumazet@xxxxxxxxxx are queue-4.14/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch queue-4.14/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch queue-4.14/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch queue-4.14/net-fool-proof-dev_valid_name.patch queue-4.14/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch queue-4.14/vti6-better-validate-user-provided-tunnel-names.patch queue-4.14/ipv6-sit-better-validate-user-provided-tunnel-names.patch queue-4.14/ip6_tunnel-better-validate-user-provided-tunnel-names.patch queue-4.14/sctp-do-not-leak-kernel-memory-to-user-space.patch queue-4.14/ip_tunnel-better-validate-user-provided-tunnel-names.patch queue-4.14/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch queue-4.14/ip6_gre-better-validate-user-provided-tunnel-names.patch