On 3/17/22 09:56, Greg KH wrote:
On Thu, Mar 17, 2022 at 09:41:59AM -0700, Tadeusz Struk wrote:
From: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
Plese apply this on 5.10.y stable as well as it fixes the following
syzbot issues:
LINK: https://syzkaller.appspot.com/bug?id=517fa734b92b7db404c409b924cf5c997640e324
LINK: https://syzkaller.appspot.com/bug?id=57375340ab81a369df5da5eb16cfcd4aef9dfb9d
Here is a working patch.
---8<---
The maximum message size that can be send is bigger than
the maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.
Fix this by doing a fallback to COW in that case.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Reported-by: <syzbot+93ab2623dcb5c73eda9f@xxxxxxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
Signed-off-by: Tadeusz Struk <tadeusz.struk@xxxxxxxxxx>
---
include/net/esp.h | 2 ++
include/net/sock.h | 1 +
net/ipv4/esp4.c | 5 +++++
net/ipv6/esp6.c | 5 +++++
4 files changed, 13 insertions(+)
What is the git commit id of this commit in Linus's tree?
It's this one:
ebe48d368e97 ("esp: Fix possible buffer overflow in ESP transformation")
Sorry I forgot to include it in the backport.
--
Thanks,
Tadeusz
