Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit af85f3c2 authored by Tejaswi Tanikella's avatar Tejaswi Tanikella Committed by Dyneteve
Browse files

net: ping: check if length is non-zero before copy 



In ping_common_sendmsg icmphdr is copied from the iovec. If there is
no payload, calling csum_partial_copy_fromiovecend() can cause stack
out of bounds when offset is zero  and iov->iov_len is zero.

BUG: KASAN: stack-out-of-bounds in
  csum_partial_copy_fromiovecend+0xc4/0x3f4 at addr ffffffc04cd7bd78
Read of size 8 by task WiFiArpStateMac/2306
page:ffffffba43fd4490 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected

[<ffffffc00008ba0c>] dump_backtrace+0x0/0x200
[<ffffffc00008bc20>] show_stack+0x14/0x1c
[<ffffffc001a0e12c>] dump_stack+0x80/0xa4
[<ffffffc0002513f8>] kasan_report+0x3c0/0x508
[<ffffffc0002503e0>] __asan_load8+0x24/0x70
[<ffffffc001717360>] csum_partial_copy_fromiovecend+0xc4/0x3f4
[<ffffffc00183387c>] ping_getfrag+0x58/0xf0
[<ffffffc0017d3f1c>] __ip_append_data.isra.2+0x8a4/0xe64
[<ffffffc0017d45ac>] ip_append_data.part.3+0xd0/0xf0
[<ffffffc0017d54ec>] ip_append_data+0x1c/0x30
[<ffffffc001834520>] ping_v4_sendmsg+0x5b0/0x700
[<ffffffc00181e7f8>] inet_sendmsg+0xe0/0x128
[<ffffffc0017020b4>] sock_sendmsg+0x13c/0x190
[<ffffffc00170583c>] SyS_sendto+0x194/0x20

Change-Id: Ia4dc47611ed2172cdc504920c20b8fec8c324c91
Acked-by: default avatarSharath Chandra Vurukala <sharathv@qti.qualcomm.com>
Signed-off-by: default avatarTejaswi Tanikella <tejaswit@codeaurora.org>
parent b17c2640
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment