diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2023-12-01 05:49:18 -0500 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2023-12-01 05:49:18 -0500 |
| commit | be86e54339a2b599793e5fdef9a8e47868e25201 (patch) | |
| tree | d6a3b5819344dd35c785ca10365da15edadfff53 | |
| parent | Linux patch 5.15.140 (diff) | |
| download | linux-patches-5.15-148.tar.gz linux-patches-5.15-148.tar.bz2 linux-patches-5.15-148.zip | |
neighbour: Fix __randomize_layout crash in struct neighbour5.15-148
Bug: https://bugs.gentoo.org/918128
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 2010_Fix_randomize_layout_crash_in_struct_neigh.patch | 44 |
2 files changed, 48 insertions, 0 deletions
diff --git a/0000_README b/0000_README index d4865937..e1db5ee3 100644 --- a/0000_README +++ b/0000_README @@ -615,6 +615,10 @@ Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch From: https://lore.kernel.org/linux-bluetooth/20190522070540.48895-1-marcel@holtmann.org/raw Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 +Patch: 2010_Fix_randomize_layout_crash_in_struct_neigh.patch +From: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=45b3fae4675d +Desc: neighbour: Fix __randomize_layout crash in struct neighbour + Patch: 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch From: https://bugs.gentoo.org/710790 Desc: tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino diff --git a/2010_Fix_randomize_layout_crash_in_struct_neigh.patch b/2010_Fix_randomize_layout_crash_in_struct_neigh.patch new file mode 100644 index 00000000..8ee50b2f --- /dev/null +++ b/2010_Fix_randomize_layout_crash_in_struct_neigh.patch @@ -0,0 +1,44 @@ +From 45b3fae4675dc1d4ee2d7aefa19d85ee4f891377 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" <gustavoars@kernel.org> +Date: Sat, 25 Nov 2023 15:33:58 -0600 +Subject: neighbour: Fix __randomize_layout crash in struct neighbour + +Previously, one-element and zero-length arrays were treated as true +flexible arrays, even though they are actually "fake" flex arrays. +The __randomize_layout would leave them untouched at the end of the +struct, similarly to proper C99 flex-array members. + +However, this approach changed with commit 1ee60356c2dc ("gcc-plugins: +randstruct: Only warn about true flexible arrays"). Now, only C99 +flexible-array members will remain untouched at the end of the struct, +while one-element and zero-length arrays will be subject to randomization. + +Fix a `__randomize_layout` crash in `struct neighbour` by transforming +zero-length array `primary_key` into a proper C99 flexible-array member. + +Fixes: 1ee60356c2dc ("gcc-plugins: randstruct: Only warn about true flexible arrays") +Closes: https://lore.kernel.org/linux-hardening/20231124102458.GB1503258@e124191.cambridge.arm.com/ +Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> +Reviewed-by: Kees Cook <keescook@chromium.org> +Tested-by: Joey Gouly <joey.gouly@arm.com> +Link: https://lore.kernel.org/r/ZWJoRsJGnCPdJ3+2@work +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +--- + include/net/neighbour.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index 07022bb0d44d4b..0d28172193fa63 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -162,7 +162,7 @@ struct neighbour { + struct rcu_head rcu; + struct net_device *dev; + netdevice_tracker dev_tracker; +- u8 primary_key[0]; ++ u8 primary_key[]; + } __randomize_layout; + + struct neigh_ops { +-- +cgit |