commit: 5a401bdbc54d08387ac3f7d4d815e21e6f460d63 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Fri Dec 1 10:30:29 2023 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Fri Dec 1 10:30:29 2023 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=5a401bdb
neighbour: Fix __randomize_layout crash in struct neighbour Bug: https://bugs.gentoo.org/918128 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 4 ++ ...ix_randomize_layout_crash_in_struct_neigh.patch | 44 ++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/0000_README b/0000_README index cbd5f55a..45e6e938 100644 --- a/0000_README +++ b/0000_README @@ -75,6 +75,10 @@ Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch From: https://lore.kernel.org/linux-bluetooth/20190522070540.48895-1-mar...@holtmann.org/raw Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 +Patch: 2010_Fix_randomize_layout_crash_in_struct_neigh.patch +From: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=45b3fae4675d +Desc: neighbour: Fix __randomize_layout crash in struct neighbour + Patch: 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch From: https://bugs.gentoo.org/710790 Desc: tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino diff --git a/2010_Fix_randomize_layout_crash_in_struct_neigh.patch b/2010_Fix_randomize_layout_crash_in_struct_neigh.patch new file mode 100644 index 00000000..8ee50b2f --- /dev/null +++ b/2010_Fix_randomize_layout_crash_in_struct_neigh.patch @@ -0,0 +1,44 @@ +From 45b3fae4675dc1d4ee2d7aefa19d85ee4f891377 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" <gustavo...@kernel.org> +Date: Sat, 25 Nov 2023 15:33:58 -0600 +Subject: neighbour: Fix __randomize_layout crash in struct neighbour + +Previously, one-element and zero-length arrays were treated as true +flexible arrays, even though they are actually "fake" flex arrays. +The __randomize_layout would leave them untouched at the end of the +struct, similarly to proper C99 flex-array members. + +However, this approach changed with commit 1ee60356c2dc ("gcc-plugins: +randstruct: Only warn about true flexible arrays"). Now, only C99 +flexible-array members will remain untouched at the end of the struct, +while one-element and zero-length arrays will be subject to randomization. + +Fix a `__randomize_layout` crash in `struct neighbour` by transforming +zero-length array `primary_key` into a proper C99 flexible-array member. + +Fixes: 1ee60356c2dc ("gcc-plugins: randstruct: Only warn about true flexible arrays") +Closes: https://lore.kernel.org/linux-hardening/20231124102458.gb1503...@e124191.cambridge.arm.com/ +Signed-off-by: Gustavo A. R. Silva <gustavo...@kernel.org> +Reviewed-by: Kees Cook <keesc...@chromium.org> +Tested-by: Joey Gouly <joey.go...@arm.com> +Link: https://lore.kernel.org/r/ZWJoRsJGnCPdJ3+2@work +Signed-off-by: Paolo Abeni <pab...@redhat.com> +--- + include/net/neighbour.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index 07022bb0d44d4b..0d28172193fa63 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -162,7 +162,7 @@ struct neighbour { + struct rcu_head rcu; + struct net_device *dev; + netdevice_tracker dev_tracker; +- u8 primary_key[0]; ++ u8 primary_key[]; + } __randomize_layout; + + struct neigh_ops { +-- +cgit
