{"id":1839973,"url":"http://patchwork.ozlabs.org/api/patches/1839973/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20230927004025.119111-2-cascardo@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20230927004025.119111-2-cascardo@canonical.com>","list_archive_url":null,"date":"2023-09-27T00:40:21","name":"[SRU,Focal,Jammy,Lunar,1/5] igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"4eca9a5d0411dcaf2ca0373b387ee53b4c5c87be","submitter":{"id":70574,"url":"http://patchwork.ozlabs.org/api/people/70574/?format=json","name":"Thadeu Lima de Souza Cascardo","email":"cascardo@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20230927004025.119111-2-cascardo@canonical.com/mbox/","series":[{"id":375017,"url":"http://patchwork.ozlabs.org/api/series/375017/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=375017","date":"2023-09-27T00:40:20","name":"CVE-2023-42752","version":1,"mbox":"http://patchwork.ozlabs.org/series/375017/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/1839973/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/1839973/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":"legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)","Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4RwHpW52cRz1ypS\n\tfor ; Wed, 27 Sep 2023 10:40:50 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1qlIbZ-0004ck-Pd; Wed, 27 Sep 2023 00:40:41 +0000","from smtp-relay-canonical-0.internal ([10.131.114.83]\n helo=smtp-relay-canonical-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1qlIbT-0004c2-By\n for kernel-team@lists.ubuntu.com; Wed, 27 Sep 2023 00:40:35 +0000","from quatroqueijos.lan (1.general.cascardo.us.vpn [10.172.70.58])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id ED3EB3F123\n for ; Wed, 27 Sep 2023 00:40:33 +0000 (UTC)"],"From":"Thadeu Lima de Souza Cascardo ","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU Focal, Jammy,\n Lunar 1/5] igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU","Date":"Tue, 26 Sep 2023 21:40:21 -0300","Message-Id":"<20230927004025.119111-2-cascardo@canonical.com>","X-Mailer":"git-send-email 2.34.1","In-Reply-To":"<20230927004025.119111-1-cascardo@canonical.com>","References":"<20230927004025.119111-1-cascardo@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "},"content":"From: Eric Dumazet \n\nThis is a follow up of commit 915d975b2ffa (\"net: deal with integer\noverflows in kmalloc_reserve()\") based on David Laight feedback.\n\nBack in 2010, I failed to realize malicious users could set dev->mtu\nto arbitrary values. This mtu has been since limited to 0x7fffffff but\nregardless of how big dev->mtu is, it makes no sense for igmpv3_newpack()\nto allocate more than IP_MAX_MTU and risk various skb fields overflows.\n\nFixes: 57e1ab6eaddc (\"igmp: refine skb allocations\")\nLink: https://lore.kernel.org/netdev/d273628df80f45428e739274ab9ecb72@AcuMS.aculab.com/\nSigned-off-by: Eric Dumazet \nReported-by: David Laight \nCc: Kyle Zeng \nReviewed-by: Simon Horman \nSigned-off-by: David S. Miller \n(cherry picked from commit c3b704d4a4a265660e665df51b129e8425216ed1)\nCVE-2023-42752\nSigned-off-by: Thadeu Lima de Souza Cascardo \n---\n net/ipv4/igmp.c | 3 ++-\n 1 file changed, 2 insertions(+), 1 deletion(-)","diff":"diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c\nindex c920aa9a62a9..474711222999 100644\n--- a/net/ipv4/igmp.c\n+++ b/net/ipv4/igmp.c\n@@ -353,8 +353,9 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)\n \tstruct flowi4 fl4;\n \tint hlen = LL_RESERVED_SPACE(dev);\n \tint tlen = dev->needed_tailroom;\n-\tunsigned int size = mtu;\n+\tunsigned int size;\n \n+\tsize = min(mtu, IP_MAX_MTU);\n \twhile (1) {\n \t\tskb = alloc_skb(size + hlen + tlen,\n \t\t\t\tGFP_ATOMIC | __GFP_NOWARN);\n","prefixes":["SRU","Focal","Jammy","Lunar","1/5"]}