Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Bingquan Chen 2c054e17d9 net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() 
In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points
directly into the mmap'd TX ring buffer shared with userspace. The
kernel validates the header via __packet_snd_vnet_parse() but then
re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent
userspace thread can modify the vnet_hdr fields between validation
and use, bypassing all safety checks.

The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr
to a stack-local variable. All other vnet_hdr consumers in the kernel
(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX
path is the only caller of virtio_net_hdr_to_skb() that reads directly
from user-controlled shared memory.

Fix this by copying vnet_hdr from the mmap'd ring buffer to a
stack-local variable before validation and use, consistent with the
approach used in packet_snd() and all other callers.

Fixes: 1d036d25e5 ("packet: tpacket_snd gso and checksum offload")
Signed-off-by: Bingquan Chen <patzilla007@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260418112006.78823-1-patzilla007@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-04-22 20:16:34 -07:00
..
6lowpan
9p Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
802 Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
8021q Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
appletalk Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-03-19 14:16:00 -07:00
ax25 net: change sock.sk_ino and sock_i_ino() to u64 2026-03-06 14:31:26 +01:00
batman-adv Here are two batman-adv bugfixes: 2026-04-08 18:50:27 -07:00
bluetooth Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
bpf bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb 2026-04-12 15:42:57 -07:00
bridge net: bridge: use a stable FDB dst snapshot in RCU readers 2026-04-16 12:47:41 +02:00
caif net: caif: clear client service pointer on teardown 2026-04-14 13:21:54 +02:00
can Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
ceph libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() 2026-03-11 10:18:56 +01:00
core net: warn ops-locked drivers still using ndo_set_rx_mode 2026-04-21 12:50:25 +02:00
dcb Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
devlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-09 13:20:59 -07:00
dns_resolver net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
dsa net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops 2026-04-16 19:10:48 -07:00
ethernet bonding: prevent potential infinite loop in bond_header_parse() 2026-03-16 19:29:45 -07:00
ethtool ethtool: strset: check nla_len overflow 2026-04-12 11:23:50 -07:00
handshake treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
hsr net: hsr: emit notification for PRP slave2 changed hw addr on port deletion 2026-04-07 17:06:16 +02:00
ieee802154 net: remove addr_len argument of recvmsg() handlers 2026-03-02 18:17:17 -08:00
ife
ipv4 tcp: annotate data-races around tp->plb_rehash 2026-04-18 11:10:14 -07:00
ipv6 ipv6: fix possible UAF in icmpv6_rcv() 2026-04-18 12:09:52 -07:00
iucv net/iucv: Add missing kernel-doc return value descriptions 2026-03-31 20:14:56 -07:00
kcm kcm: fix zero-frag skb in frag_list on partial sendmsg error 2026-02-23 17:26:55 -08:00
key vfs-7.1-rc1.kino 2026-04-13 12:19:01 -07:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-09 13:20:59 -07:00
l3mdev
lapb treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
llc treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
mac80211 Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
mac802154 bonding: prevent potential infinite loop in bond_header_parse() 2026-03-16 19:29:45 -07:00
mctp net: mctp: fix don't require received header reserved bits to be zero 2026-04-20 11:46:57 -07:00
mpls Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-02 11:03:13 -07:00
mptcp net: use get_random_u{16,32,64}() where appropriate 2026-04-09 19:27:43 -07:00
ncsi net: ncsi: fix skb leak in error paths 2026-03-06 17:34:48 -08:00
netfilter netfilter: require Ethernet MAC header before using eth_hdr() 2026-04-10 12:16:27 +02:00
netlabel Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
netlink Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
netrom treewide: change inode->i_ino from unsigned long to u64 2026-03-06 14:31:28 +01:00
nfc NFC: digital: Bounds check NFC-A cascade depth in SDD response handler 2026-04-12 11:40:45 -07:00
nsh
openvswitch openvswitch: cap upcall PID array size and pre-size vport replies 2026-04-20 11:43:04 -07:00
packet net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() 2026-04-22 20:16:34 -07:00
phonet Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
psample treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
psp net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros 2026-03-29 11:21:22 -07:00
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-14 12:04:00 -07:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-14 12:04:00 -07:00
rfkill net: rfkill: prevent unlimited numbers of rfkill events from being created 2026-04-07 12:35:04 +02:00
rose Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-09 13:20:59 -07:00
sched net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change() 2026-04-21 15:00:39 +02:00
sctp sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks 2026-04-18 12:16:14 -07:00
shaper net: shaper: protect from late creation of hierarchy 2026-03-19 13:47:15 +01:00
smc net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer 2026-03-20 18:59:30 -07:00
strparser net: strparser: fix skb_head leak in strp_abort_strp() 2026-04-14 12:37:00 +02:00
sunrpc kernfs: pass struct ns_common instead of const void * for namespace tags 2026-04-09 14:36:52 +02:00
switchdev bridge: No DEV_PATH_BR_VLAN_UNTAG_HW for dsa foreign 2026-03-19 13:14:00 +01:00
tipc net: use get_random_u{16,32,64}() where appropriate 2026-04-09 19:27:43 -07:00
tls Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-09 13:20:59 -07:00
unix af_unix: Drop all SCM attributes for SOCKMAP. 2026-04-18 12:12:28 -07:00
vmw_vsock hv_sock: Report EOF instead of -EIO for FIN 2026-04-20 11:44:43 -07:00
wireless Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
x25 vfs-7.1-rc1.kino 2026-04-13 12:19:01 -07:00
xdp Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-09 13:20:59 -07:00
Kconfig
Kconfig.debug
Makefile
compat.c
devres.c
socket.c Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
sysctl_net.c