GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/1839978/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 1839978,
    "url": "http://patchwork.ozlabs.org/api/patches/1839978/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20230927004025.119111-6-cascardo@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20230927004025.119111-6-cascardo@canonical.com>",
    "list_archive_url": null,
    "date": "2023-09-27T00:40:25",
    "name": "[SRU,OEM-6.1,Lunar,5/5] net: deal with integer overflows in kmalloc_reserve()",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "6fa0b6de0482aa079bcd521ec7fd130c6a1e4894",
    "submitter": {
        "id": 70574,
        "url": "http://patchwork.ozlabs.org/api/people/70574/?format=api",
        "name": "Thadeu Lima de Souza Cascardo",
        "email": "cascardo@canonical.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20230927004025.119111-6-cascardo@canonical.com/mbox/",
    "series": [
        {
            "id": 375017,
            "url": "http://patchwork.ozlabs.org/api/series/375017/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=375017",
            "date": "2023-09-27T00:40:20",
            "name": "CVE-2023-42752",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/375017/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/1839978/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/1839978/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)",
        "Received": [
            "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4RwHpn2Bwhz1yp8\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 27 Sep 2023 10:41:05 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1qlIbo-0004mU-Ld; Wed, 27 Sep 2023 00:40:56 +0000",
            "from smtp-relay-canonical-0.internal ([10.131.114.83]\n helo=smtp-relay-canonical-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <cascardo@canonical.com>)\n id 1qlIbd-0004fC-Oj\n for kernel-team@lists.ubuntu.com; Wed, 27 Sep 2023 00:40:46 +0000",
            "from quatroqueijos.lan (1.general.cascardo.us.vpn [10.172.70.58])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 4C3603F123\n for <kernel-team@lists.ubuntu.com>; Wed, 27 Sep 2023 00:40:44 +0000 (UTC)"
        ],
        "From": "Thadeu Lima de Souza Cascardo <cascardo@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[SRU OEM-6.1,\n Lunar 5/5] net: deal with integer overflows in kmalloc_reserve()",
        "Date": "Tue, 26 Sep 2023 21:40:25 -0300",
        "Message-Id": "<20230927004025.119111-6-cascardo@canonical.com>",
        "X-Mailer": "git-send-email 2.34.1",
        "In-Reply-To": "<20230927004025.119111-1-cascardo@canonical.com>",
        "References": "<20230927004025.119111-1-cascardo@canonical.com>",
        "MIME-Version": "1.0",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "From: Eric Dumazet <edumazet@google.com>\n\ncommit 915d975b2ffa58a14bfcf16fafe00c41315949ff upstream.\n\nBlamed commit changed:\n    ptr = kmalloc(size);\n    if (ptr)\n      size = ksize(ptr);\n\nto:\n    size = kmalloc_size_roundup(size);\n    ptr = kmalloc(size);\n\nThis allowed various crash as reported by syzbot [1]\nand Kyle Zeng.\n\nProblem is that if @size is bigger than 0x80000001,\nkmalloc_size_roundup(size) returns 2^32.\n\nkmalloc_reserve() uses a 32bit variable (obj_size),\nso 2^32 is truncated to 0.\n\nkmalloc(0) returns ZERO_SIZE_PTR which is not handled by\nskb allocations.\n\nFollowing trace can be triggered if a netdev->mtu is set\nclose to 0x7fffffff\n\nWe might in the future limit netdev->mtu to more sensible\nlimit (like KMALLOC_MAX_SIZE).\n\nThis patch is based on a syzbot report, and also a report\nand tentative fix from Kyle Zeng.\n\n[1]\nBUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]\nBUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nWrite of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554\n\nCPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\nCall trace:\ndump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279\nshow_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106\nprint_report+0xe4/0x4b4 mm/kasan/report.c:398\nkasan_report+0x150/0x1ac mm/kasan/report.c:495\nkasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\nmemset+0x40/0x70 mm/kasan/shadow.c:44\n__build_skb_around net/core/skbuff.c:294 [inline]\n__alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nalloc_skb include/linux/skbuff.h:1316 [inline]\nigmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359\nadd_grec+0x81c/0x1124 net/ipv4/igmp.c:534\nigmpv3_send_cr net/ipv4/igmp.c:667 [inline]\nigmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810\ncall_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474\nexpire_timers kernel/time/timer.c:1519 [inline]\n__run_timers+0x54c/0x710 kernel/time/timer.c:1790\nrun_timer_softirq+0x28/0x4c kernel/time/timer.c:1803\n_stext+0x380/0xfbc\n____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79\ncall_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891\ndo_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84\ninvoke_softirq kernel/softirq.c:437 [inline]\n__irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683\nirq_exit_rcu+0x14/0x78 kernel/softirq.c:695\nel0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717\n__el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724\nel0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729\nel0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584\n\nFixes: 12d6c1d3a2ad (\"skbuff: Proactively round up to kmalloc bucket size\")\nReported-by: syzbot <syzkaller@googlegroups.com>\nReported-by: Kyle Zeng <zengyhkyle@gmail.com>\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: Kees Cook <keescook@chromium.org>\nCc: Vlastimil Babka <vbabka@suse.cz>\nSigned-off-by: David S. Miller <davem@davemloft.net>\n[Ajay: Regenerated the patch for v6.1.y]\nSigned-off-by: Ajay Kaher <akaher@vmware.com>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\n(cherry picked from commit 31cf7853a940181593e4472fc56f46574123f9f6 linux-6.1.y)\nCVE-2023-42752\nSigned-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>\n---\n net/core/skbuff.c | 10 ++++++++--\n 1 file changed, 8 insertions(+), 2 deletions(-)",
    "diff": "diff --git a/net/core/skbuff.c b/net/core/skbuff.c\nindex 7219fb97a560..19441a892c9b 100644\n--- a/net/core/skbuff.c\n+++ b/net/core/skbuff.c\n@@ -483,11 +483,17 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node,\n \t\t\t     bool *pfmemalloc)\n {\n \tbool ret_pfmemalloc = false;\n-\tunsigned int obj_size;\n+\tsize_t obj_size;\n \tvoid *obj;\n \n \tobj_size = SKB_HEAD_ALIGN(*size);\n-\t*size = obj_size = kmalloc_size_roundup(obj_size);\n+\n+\tobj_size = kmalloc_size_roundup(obj_size);\n+\t/* The following cast might truncate high-order bits of obj_size, this\n+\t * is harmless because kmalloc(obj_size >= 2^32) will fail anyway.\n+\t */\n+\t*size = (unsigned int)obj_size;\n+\n \t/*\n \t * Try a regular allocation, when that fails and we're not entitled\n \t * to the reserves, fail.\n",
    "prefixes": [
        "SRU",
        "OEM-6.1",
        "Lunar",
        "5/5"
    ]
}