On 6/2/22 20:30, Denis Efremov wrote: > Hi, > > On 6/2/22 20:12, Pavel Machek wrote: >> Hi! >> >>> commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream. >>> >>> It appears that there are some buffer overflows in EVT_TRANSACTION. >>> This happens because the length parameters that are passed to memcpy >>> come directly from skb->data and are not guarded in any way. >>> >>> Signed-off-by: Jordy Zomer <jordy@pwning.systems> >>> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxxxxx> >>> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> >>> Signed-off-by: Denis Efremov <denis.e.efremov@xxxxxxxxxx> >>> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> >> >> It seems that this patch causes an memory leak, transaction does not >> seem to be freed in the error paths. >> >> (I also wonder if the skb should be freed in the error paths...?) >> >> Reported-by: <theflamefire89@xxxxxxxxx> > > Same for upstream code and it looks like the problem existed even > before this patch. I'll prepare an upstream patch and cc it to stable. > I checked and Martin already sent patches upstream to fix this. https://lore.kernel.org/all/20220401180939.2025819-1-mfaltesek@xxxxxxxxxx/ https://lore.kernel.org/all/20220401180955.2025877-1-mfaltesek@xxxxxxxxxx/ https://lore.kernel.org/all/20220401181032.2026076-1-mfaltesek@xxxxxxxxxx/ https://lore.kernel.org/all/20220401181048.2026145-1-mfaltesek@xxxxxxxxxx/ Thanks, Denis
