)]}'
{
  "commit": "4d64e87ddd30cd19fb16caaae5cc3fc81a135e16",
  "tree": "b29ee163a4cbdf4aecfc3b52cfb1a31ba5bf27f3",
  "parents": [
    "e4e286e9fa35f3e52882d3acbc010c51acb1c3be"
  ],
  "author": {
    "name": "Or Cohen",
    "email": "orcohen@paloaltonetworks.com",
    "time": "Sun Aug 30 20:04:51 2020 +0300"
  },
  "committer": {
    "name": "Vaibhav Rustagi",
    "email": "vaibhavrustagi@google.com",
    "time": "Fri Sep 04 01:02:11 2020 +0000"
  },
  "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po-\u003ehas_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nBUG\u003db/167730744\nTEST\u003dManually tried the reproducer before and after this fix.\nRELEASE_NOTE\u003dFixed overflow in tpacket_rcv, which caused\nCVE-2020-14386.\nSOURCE\u003dFROMLIST(https://www.openwall.com/lists/oss-security/2020/09/03/3)\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \u003corcohen@paloaltonetworks.com\u003e\nSigned-off-by: Roy Yang \u003croyyang@google.com\u003e\nChange-Id: I119b9e950f948259bbf0e3afeda5f33c0fb40e51\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/4981\nReviewed-by: Vaibhav Rustagi \u003cvaibhavrustagi@google.com\u003e\nReviewed-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\nTested-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "7735340c892eb65f415fa9983c0f6c4c8e056945",
      "old_mode": 33188,
      "old_path": "net/packet/af_packet.c",
      "new_id": "fbc2d4dfddf0e1245762ecff335a167d966e3413",
      "new_mode": 33188,
      "new_path": "net/packet/af_packet.c"
    }
  ]
}