Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-22 04:02:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
6fce6e9791
linux/drivers/net
History
Eric Dumazet 7d3fce8cbe slip: make slhc_remember() more robust against malicious packets 
syzbot found that slhc_remember() was missing checks against
malicious packets [1].

slhc_remember() only checked the size of the packet was at least 20,
which is not good enough.

We need to make sure the packet includes the IPv4 and TCP header
that are supposed to be carried.

Add iph and th pointers to make the code more readable.

[1]

BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
  ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
  ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
  ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
  __release_sock+0x1da/0x330 net/core/sock.c:3072
  release_sock+0x6b/0x250 net/core/sock.c:3626
  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4091 [inline]
  slab_alloc_node mm/slub.c:4134 [inline]
  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
  alloc_skb include/linux/skbuff.h:1322 [inline]
  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Fixes: b5451d783a ("slip: Move the SLIP drivers")
Reported-by: syzbot+2ada1bc857496353be5a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/670646db.050a0220.3f80e.0027.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241009091132.2136321-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-10-10 09:06:32 -07:00
..
arcnet
bonding bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave() 2024-09-24 15:19:50 +02:00
caif
can move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
dsa net: dsa: b53: fix jumbo frames on 10/100 ports 2024-10-08 10:42:27 +02:00
ethernet Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue 2024-10-09 20:01:20 -07:00
fddi
fjes
hamradio TTY/Serial driver update for 6.12-rc1 2024-09-26 09:59:50 -07:00
hippi
hyperv net: netvsc: Update default VMBus channels 2024-08-28 17:18:32 -07:00
ieee802154 Including fixes from ieee802154, bluetooth and netfilter. 2024-10-03 09:44:00 -07:00
ipa net: ipa: make use of dev_err_cast_probe() 2024-08-29 11:41:05 -07:00
ipvlan netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
mctp move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
mdio net: mdiobus: Debug print fwnode handle instead of raw pointer 2024-09-10 12:24:17 +02:00
netdevsim [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
pcs net: pcs: xpcs: fix the wrong register that was written back 2024-10-01 11:00:50 +02:00
phy net: phy: realtek: Fix MMD access on RTL8126A-integrated PHY 2024-10-09 12:43:46 +01:00
plip
ppp ppp: fix ppp_async_encode() illegal access 2024-10-10 08:47:13 -07:00
pse-pd net: pse-pd: Fix enabled status mismatch 2024-10-04 13:14:18 -07:00
slip slip: make slhc_remember() more robust against malicious packets 2024-10-10 09:06:32 -07:00
team netdev_features: convert NETIF_F_NETNS_LOCAL to dev->netns_local 2024-09-03 11:36:43 +02:00
thunderbolt
usb move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
vmxnet3
vxlan vxlan: Handle error of rtnl_register_module(). 2024-10-10 15:39:35 +02:00
wan
wireguard netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
wireless move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
wwan net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() 2024-09-27 12:39:02 +01:00
xen-netback net/xen-netback: prevent UAF in xenvif_flush_hash() 2024-08-28 17:07:42 -07:00
amt.c netdev_features: convert NETIF_F_NETNS_LOCAL to dev->netns_local 2024-09-03 11:36:43 +02:00
bareudp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-09-15 09:13:19 -07:00
dummy.c netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
eql.c
geneve.c netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
gtp.c netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
ifb.c
Kconfig
LICENSE.SRC
loopback.c netdev_features: convert NETIF_F_NETNS_LOCAL to dev->netns_local 2024-09-03 11:36:43 +02:00
macsec.c netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
macvlan.c netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
macvtap.c
Makefile
mdio.c
mhi_net.c
mii.c
net_failover.c netdev_features: convert NETIF_F_NETNS_LOCAL to dev->netns_local 2024-09-03 11:36:43 +02:00
netconsole.c net: netconsole: fix wrong warning 2024-10-09 19:42:43 -07:00
netkit.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-09-15 09:13:19 -07:00
nlmon.c netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
ntb_netdev.c
pfcp.c
rionet.c netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
sb1000.c
Space.c
sungem_phy.c
tap.c [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
tun.c [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
veth.c netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
virtio_net.c virtio_net: Fix mismatched buf address when unmapping for small packets 2024-09-26 10:35:27 +02:00
vrf.c vrf: revert "vrf: Remove unnecessary RCU-bh critical section" 2024-10-02 17:26:11 -07:00
vsockmon.c netdev_features: convert NETIF_F_LLTX to dev->lltx 2024-09-03 11:36:43 +02:00
xen-netfront.c