From 1a96a4a08d0e9576b3c347d86853fc496b1af22b Mon Sep 17 00:00:00 2001 From: Denis Kirjanov Date: Feb 15 2024 13:44:23 +0000 Subject: Merge remote-tracking branch 'origin/cve/linux-4.12' into SLE12-SP5 --- diff --git a/patches.suse/net-rds-Fix-UBSAN-array-index-out-of-bounds-in-rds_c.patch b/patches.suse/net-rds-Fix-UBSAN-array-index-out-of-bounds-in-rds_c.patch new file mode 100644 index 0000000..6511437 --- /dev/null +++ b/patches.suse/net-rds-Fix-UBSAN-array-index-out-of-bounds-in-rds_c.patch @@ -0,0 +1,64 @@ +From: Sharath Srinivasan +Date: Fri, 19 Jan 2024 17:48:39 -0800 +Subject: net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv +Patch-mainline: v6.8-rc2 +Git-commit: 13e788deb7348cc88df34bed736c3b3b9927ea52 +References: bsc#1219127 CVE-2024-23849 + +Syzcaller UBSAN crash occurs in rds_cmsg_recv(), +which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1), +but with array size of 4 (RDS_RX_MAX_TRACES). +Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from +trace.rx_trace_pos[i] in rds_recv_track_latency(), +with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the +off-by-one bounds check in rds_recv_track_latency() to prevent +a potential crash in rds_cmsg_recv(). + +Found by syzcaller: +================================================================= +UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39 +index 4 is out of range for type 'u64 [4]' +CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS 1.15.0-1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348 + rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585 + rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716 + sock_recvmsg_nosec net/socket.c:1044 [inline] + sock_recvmsg+0xe2/0x160 net/socket.c:1066 + __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246 + __do_sys_recvfrom net/socket.c:2264 [inline] + __se_sys_recvfrom net/socket.c:2260 [inline] + __x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b +================================================================== + +Fixes: 3289025aedc0 ("RDS: add receive message trace used by application") +Reported-by: Chenyuan Yang +Closes: https://lore.kernel.org/linux-rdma/CALGdzuoVdq-wtQ4Az9iottBqC5cv9ZhcE5q8N7LfYFvkRsOVcw@mail.gmail.com/ +Signed-off-by: Sharath Srinivasan +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Acked-by: Chun-Yi Lee +--- + net/rds/af_rds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rds/af_rds.c ++++ b/net/rds/af_rds.c +@@ -315,7 +315,7 @@ static int rds_recv_track_latency(struct + + rs->rs_rx_traces = trace.rx_traces; + for (i = 0; i < rs->rs_rx_traces; i++) { +- if (trace.rx_trace_pos[i] > RDS_MSG_RX_DGRAM_TRACE_MAX) { ++ if (trace.rx_trace_pos[i] >= RDS_MSG_RX_DGRAM_TRACE_MAX) { + rs->rs_rx_traces = 0; + return -EFAULT; + } diff --git a/series.conf b/series.conf index 6f34ea4..bd9430d 100644 --- a/series.conf +++ b/series.conf @@ -64841,6 +64841,7 @@ patches.suse/nvmet-tcp-remove-boilerplate-code.patch patches.suse/nvmet-tcp-Fix-the-H2C-expected-PDU-len-calculation.patch patches.suse/xen-netback-don-t-produce-zero-size-SKB-frags.patch + patches.suse/net-rds-Fix-UBSAN-array-index-out-of-bounds-in-rds_c.patch patches.suse/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch