[PATCH openEuler-1.0-LTS 0/2] CVE-2023-53125 - Kernel - mailweb.openeuler.org

newer
[PATCH openEuler-1.0-LTS] net:...

[PATCH openEuler-1.0-LTS 0/2] CVE-2023-53125

older
[PATCH OLK-6.6] x86/tdx: Fix...

Wang Liang

28 Jun 2025 28 Jun '25

2:49 p.m.

Szymon Heidrich (2): net: usb: smsc75xx: Limit packet length to skb->len net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull drivers/net/usb/smsc75xx.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.34.1

Reply

Sign in to reply online Use email software

Show replies by date

patchwork bot

28 Jun 28 Jun

2:35 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/16831 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/GY6... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/16831 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/GY6...

Reply

Sign in to reply online Use email software

Wang Liang

2:49 p.m.

New subject: [PATCH openEuler-1.0-LTS 1/2] net: usb: smsc75xx: Limit packet length to skb->len

From: Szymon Heidrich <szymon.heidrich@gmail.com> stable inclusion from stable-v4.19.279 commit 53966d572d056d6b234cfe76a5f9d60049d3c178 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5DCQ CVE: CVE-2023-53125 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit d8b228318935044dafe3a5bc07ee71a1f1424b8d ] Packet length retrieved from skb data may be larger than the actual socket buffer length (up to 9026 bytes). In such case the cloned skb passed up the network stack will leak kernel memory contents. Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Wang Liang <wangliang74@huawei.com> --- drivers/net/usb/smsc75xx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c index dea72fa04958..bb3301678d17 100644 --- a/drivers/net/usb/smsc75xx.c +++ b/drivers/net/usb/smsc75xx.c @@ -2227,7 +2227,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) dev->net->stats.rx_frame_errors++; } else { /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ - if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { + if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || + size > skb->len)) { netif_dbg(dev, rx_err, dev->net, "size err rx_cmd_a=0x%08x\n", rx_cmd_a); -- 2.34.1

Reply

Sign in to reply online Use email software

Wang Liang

2:49 p.m.

New subject: [PATCH openEuler-1.0-LTS 2/2] net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull

From: Szymon Heidrich <szymon.heidrich@gmail.com> stable inclusion from stable-v4.19.279 commit 89441504d66d116eb5ce58c132f58cdcca5b498a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5DCQ CVE: CVE-2023-53125 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c ] Packet length check needs to be located after size and align_count calculation to prevent kernel panic in skb_pull() in case rx_cmd_a & RX_CMD_A_RED evaluates to true. Fixes: d8b228318935 ("net: usb: smsc75xx: Limit packet length to skb->len") Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> Link: https://lore.kernel.org/r/20230316110540.77531-1-szymon.heidrich@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Wang Liang <wangliang74@huawei.com> --- drivers/net/usb/smsc75xx.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c index bb3301678d17..573d7ad2e708 100644 --- a/drivers/net/usb/smsc75xx.c +++ b/drivers/net/usb/smsc75xx.c @@ -2215,6 +2215,13 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) size = (rx_cmd_a & RX_CMD_A_LEN) - RXW_PADDING; align_count = (4 - ((size + RXW_PADDING) % 4)) % 4; + if (unlikely(size > skb->len)) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); + return 0; + } + if (unlikely(rx_cmd_a & RX_CMD_A_RED)) { netif_dbg(dev, rx_err, dev->net, "Error rx_cmd_a=0x%08x\n", rx_cmd_a); @@ -2227,8 +2234,7 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) dev->net->stats.rx_frame_errors++; } else { /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ - if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || - size > skb->len)) { + if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { netif_dbg(dev, rx_err, dev->net, "size err rx_cmd_a=0x%08x\n", rx_cmd_a); -- 2.34.1

Reply

Sign in to reply online Use email software

4

Age (days ago)

4

Last active (days ago)

3 comments

2 participants

tags

participants (2)

patchwork bot
Wang Liang