)]}'
{
  "commit": "c46f8a87c479cd2e964513992d3eab92eff5c160",
  "tree": "cff5170263be209d01c1b00142c3401d4a7e4527",
  "parents": [
    "5741bb662004405d5bf713a98ec92b9e5170f7bb"
  ],
  "author": {
    "name": "Or Cohen",
    "email": "orcohen@paloaltonetworks.com",
    "time": "Thu Sep 03 21:05:28 2020 -0700"
  },
  "committer": {
    "name": "Robert Kolchmeyer",
    "email": "rkolchmeyer@google.com",
    "time": "Fri Sep 04 17:24:04 2020 +0000"
  },
  "message": "net/packet: fix overflow in tpacket_rcv\n\nUsing tp_reserve to calculate netoff can overflow as\ntp_reserve is unsigned int and netoff is unsigned short.\n\nThis may lead to macoff receving a smaller value then\nsizeof(struct virtio_net_hdr), and if po-\u003ehas_vnet_hdr\nis set, an out-of-bounds write will occur when\ncalling virtio_net_hdr_from_skb.\n\nThe bug is fixed by converting netoff to unsigned int\nand checking if it exceeds USHRT_MAX.\n\nThis addresses CVE-2020-14386\n\nFixes: 8913336a7e8d (\"packet: add PACKET_RESERVE sockopt\")\nSigned-off-by: Or Cohen \u003corcohen@paloaltonetworks.com\u003e\nSigned-off-by: Eric Dumazet \u003cedumazet@google.com\u003e\n(backported from\nhttps://patchwork.ozlabs.org/project/netdev/patch/20200904040528.3635711-1-edumazet@google.com/)\nSigned-off-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\n\nBUG\u003db/167730744\nTEST\u003dManually tried the reproducer before and after this fix.\nRELEASE_NOTE\u003dFixed overflow in tpacket_rcv, which caused CVE-2020-14386.\nSOURCE\u003dFROMLIST(https://patchwork.ozlabs.org/project/netdev/patch/20200904040528.3635711-1-edumazet@google.com/)\n\nChange-Id: Ifc451bdd97c124917e49023db2d7f3a0356d4801\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/5043\nTested-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\nReviewed-by: Roy Yang \u003croyyang@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "ecea8edae61c1c03e97d3a2e41b8bd3a4227b277",
      "old_mode": 33188,
      "old_path": "net/packet/af_packet.c",
      "new_id": "c63a54964001c7554ea6035a13a9212576eeaceb",
      "new_mode": 33188,
      "new_path": "net/packet/af_packet.c"
    }
  ]
}