android_kernel_msm-6.1_nothing_sm7635

NothingOSS/android_kernel_msm-6.1_nothing_sm7635

History

Lin Ma ecff20e193 net: dcb: choose correct policy to parse DCB_ATTR_BCN [ Upstream commit 31d49ba033095f6e8158c60f69714a500922e0c3 ] The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN], which is introduced in commit `859ee3c438` ("DCB: Add support for DCB BCN"). Please see the comment in below code static int dcbnl_bcn_setcfg(...) { ... ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. ) // !!! dcbnl_pfc_up_nest for attributes // DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs ... for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) { // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs ... value_byte = nla_get_u8(data[i]); ... } ... for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) { // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs ... value_int = nla_get_u32(data[i]); ... } ... } That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the following access code fetch each nlattr as dcbnl_bcn_attrs attributes. By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find the beginning part of these two policies are "same". static const struct nla_policy dcbnl_pfc_up_nest[...] = { [DCB_PFC_UP_ATTR_0] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_1] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_2] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_3] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_4] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_5] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_6] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_7] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG}, }; static const struct nla_policy dcbnl_bcn_nest[...] = { [DCB_BCN_ATTR_RP_0] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_1] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_2] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_3] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_4] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_5] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_6] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_7] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG}, // from here is somewhat different [DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32}, ... [DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG}, }; Therefore, the current code is buggy and this nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0. Hence use the correct policy dcbnl_bcn_nest to parse the nested tb[DCB_ATTR_BCN] TLV. Fixes: `859ee3c438` ("DCB: Add support for DCB BCN") Signed-off-by: Lin Ma <linma@zju.edu.cn> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/20230801013248.87240-1-linma@zju.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2023-08-11 12:08:17 +02:00
..
6lowpan
9p	9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition	2023-04-20 12:35:08 +02:00
802	mrp: introduce active flags to prevent UAF when applicant uninit	2022-12-31 13:33:02 +01:00
8021q	vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()	2023-05-24 17:32:47 +01:00
appletalk
atm	atm: hide unused procfs functions	2023-06-09 10:34:16 +02:00
ax25
batman-adv	batman-adv: Broken sync while rescheduling delayed work	2023-06-14 11:15:23 +02:00
bluetooth	Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()	2023-07-27 08:50:47 +02:00
bpf	Revert "bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES"	2023-03-17 08:50:32 +01:00
bpfilter
bridge	bridge: Add extack warning when enabling STP in netns.	2023-07-27 08:50:40 +02:00
caif	net: caif: Fix use-after-free in cfusbl_device_notify()	2023-03-17 08:50:24 +01:00
can	can: bcm: Fix UAF in bcm_proc_show()	2023-07-27 08:50:27 +02:00
ceph	rbd: harden get_lock_owner_info() a bit	2023-08-03 10:24:17 +02:00
core	bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire	2023-08-11 12:08:16 +02:00
dcb	net: dcb: choose correct policy to parse DCB_ATTR_BCN	2023-08-11 12:08:17 +02:00
dccp	net: annotate data-races around sk->sk_mark	2023-08-11 12:08:14 +02:00
dns_resolver
dsa	net: dsa: sja1105: always enable the send_meta options	2023-07-19 16:22:06 +02:00
ethernet
ethtool	ethtool: Fix uninitialized number of lanes	2023-05-17 11:53:37 +02:00
hsr	hsr: ratelimit only when errors are printed	2023-04-06 12:10:58 +02:00
ieee802154	net: ieee802154: fix error return code in dgram_bind()	2022-10-07 09:29:17 +02:00
ife
ipv4	net: annotate data-races around sk->sk_priority	2023-08-11 12:08:15 +02:00
ipv6	net: annotate data-races around sk->sk_priority	2023-08-11 12:08:15 +02:00
iucv	net/iucv: Fix size of interrupt data	2023-03-22 13:33:50 +01:00
kcm	kcm: close race conditions on sk_receive_queue	2022-11-15 12:42:26 +01:00
key	af_key: Reject optional tunnel/BEET mode templates in outbound policies	2023-05-24 17:32:43 +01:00
l2tp	net: annotate data-races around sk->sk_mark	2023-08-11 12:08:14 +02:00
l3mdev
lapb
llc	llc: Don't drop packet from non-root netns.	2023-07-27 08:50:45 +02:00
mac80211	wifi: mac80211: Remove "Missing iftype sband data/EHT cap" spam	2023-07-19 16:21:09 +02:00
mac802154	mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()	2022-12-05 09:53:08 +01:00
mctp	net: mctp: purge receive queues on sk destruction	2023-02-06 08:06:34 +01:00
mpls	net: mpls: fix stale pointer if allocation fails during device rename	2023-02-22 12:59:53 +01:00
mptcp	net: annotate data-races around sk->sk_mark	2023-08-11 12:08:14 +02:00
ncsi	net/ncsi: change from ndo_set_mac_address to dev_set_mac_address	2023-07-23 13:49:51 +02:00
netfilter	net: annotate data-races around sk->sk_mark	2023-08-11 12:08:14 +02:00
netlabel
netlink	netlink: Add __sock_i_ino() for __netlink_diag_dump().	2023-07-19 16:21:13 +02:00
netrom	netrom: fix info-leak in nr_write_internal()	2023-06-09 10:34:01 +02:00
nfc	net: nfc: Fix use-after-free caused by nfc_llcp_find_local	2023-07-19 16:21:13 +02:00
nsh	net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()	2023-05-24 17:32:45 +01:00
openvswitch	net: openvswitch: fix race on port output	2023-04-20 12:35:09 +02:00
packet	net: annotate data-races around sk->sk_priority	2023-08-11 12:08:15 +02:00
phonet
psample
qrtr	net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()	2023-04-20 12:35:09 +02:00
rds	rds: rds_rm_zerocopy_callback() correct order for list_add_tail()	2023-03-10 09:33:02 +01:00
rfkill
rose	net/rose: Fix to not accept on connected socket	2023-02-22 12:59:42 +01:00
rxrpc	rxrpc: Fix hard call timeout units	2023-05-17 11:53:35 +02:00
sched	net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free	2023-08-11 12:08:16 +02:00
sctp	sctp: fix potential deadlock on &net->sctp.addr_wq_lock	2023-07-19 16:22:00 +02:00
smc	net: annotate data-races around sk->sk_mark	2023-08-11 12:08:14 +02:00
strparser
sunrpc	SUNRPC: Fix UAF in svc_tcp_listen_data_ready()	2023-07-19 16:21:48 +02:00
switchdev
tipc	tipc: stop tipc crypto on failure in tipc_node_create	2023-08-03 10:24:02 +02:00
tls	tls: rx: strp: don't use GFP_KERNEL in softirq context	2023-06-09 10:34:29 +02:00
unix	net: add missing data-race annotations around sk->sk_peek_off	2023-08-11 12:08:14 +02:00
vmw_vsock	vsock: avoid to close connected socket after the timeout	2023-05-24 17:32:44 +01:00
wireless	wifi: cfg80211: Fix return value in scan logic	2023-08-11 12:08:11 +02:00
x25	net/x25: Fix to not accept on connected socket	2023-02-09 11:28:13 +01:00
xdp	net: annotate data-races around sk->sk_mark	2023-08-11 12:08:14 +02:00
xfrm	net: annotate data-races around sk->sk_mark	2023-08-11 12:08:14 +02:00
compat.c	use less confusing names for iov_iter direction initializers	2023-02-09 11:28:04 +01:00
devres.c
Kconfig
Kconfig.debug	net: make NET_(DEV\|NS)_REFCNT_TRACKER depend on NET	2022-09-20 14:23:56 -07:00
Makefile
socket.c	net: annotate sk->sk_err write from do_recvmmsg()	2023-05-24 17:32:32 +01:00
sysctl_net.c