On 6/2/22 20:30, Denis Efremov wrote:
Hi,
On 6/2/22 20:12, Pavel Machek wrote:
Hi!
commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream.
It appears that there are some buffer overflows in EVT_TRANSACTION. This happens because the length parameters that are passed to memcpy come directly from skb->data and are not guarded in any way.
Signed-off-by: Jordy Zomer jordy@pwning.systems Reviewed-by: Krzysztof Kozlowski krzysztof.kozlowski@canonical.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Denis Efremov denis.e.efremov@oracle.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
It seems that this patch causes an memory leak, transaction does not seem to be freed in the error paths.
(I also wonder if the skb should be freed in the error paths...?)
Reported-by: theflamefire89@gmail.com
Same for upstream code and it looks like the problem existed even before this patch. I'll prepare an upstream patch and cc it to stable.
I checked and Martin already sent patches upstream to fix this.
https://lore.kernel.org/all/20220401180939.2025819-1-mfaltesek@google.com/ https://lore.kernel.org/all/20220401180955.2025877-1-mfaltesek@google.com/ https://lore.kernel.org/all/20220401181032.2026076-1-mfaltesek@google.com/ https://lore.kernel.org/all/20220401181048.2026145-1-mfaltesek@google.com/
Thanks, Denis