On Thu, Mar 17, 2022 at 10:09:52AM -0700, Tadeusz Struk wrote: > On 3/17/22 09:56, Greg KH wrote: > > On Thu, Mar 17, 2022 at 09:41:59AM -0700, Tadeusz Struk wrote: > > > From: Steffen Klassert <steffen.klassert@xxxxxxxxxxx> > > > > > > Plese apply this on 5.10.y stable as well as it fixes the following > > > syzbot issues: > > > > > > LINK: https://syzkaller.appspot.com/bug?id=517fa734b92b7db404c409b924cf5c997640e324 > > > LINK: https://syzkaller.appspot.com/bug?id=57375340ab81a369df5da5eb16cfcd4aef9dfb9d > > > > > > Here is a working patch. > > > ---8<--- > > > > > > The maximum message size that can be send is bigger than > > > the maximum site that skb_page_frag_refill can allocate. > > > So it is possible to write beyond the allocated buffer. > > > > > > Fix this by doing a fallback to COW in that case. > > > > > > Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") > > > Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") > > > Reported-by: valis <sec@valis.email> > > > Reported-by: <syzbot+93ab2623dcb5c73eda9f@xxxxxxxxxxxxxxxxxxxxxxxxx> > > > Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx> > > > Signed-off-by: Tadeusz Struk <tadeusz.struk@xxxxxxxxxx> > > > --- > > > include/net/esp.h | 2 ++ > > > include/net/sock.h | 1 + > > > net/ipv4/esp4.c | 5 +++++ > > > net/ipv6/esp6.c | 5 +++++ > > > 4 files changed, 13 insertions(+) > > > > What is the git commit id of this commit in Linus's tree? > > > > It's this one: > > ebe48d368e97 ("esp: Fix possible buffer overflow in ESP transformation") > > Sorry I forgot to include it in the backport. Now queued up, thanks. gre gk-h
