superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Eric Dumazet 7d3fce8cbe slip: make slhc_remember() more robust against malicious packets 
syzbot found that slhc_remember() was missing checks against
malicious packets [1].

slhc_remember() only checked the size of the packet was at least 20,
which is not good enough.

We need to make sure the packet includes the IPv4 and TCP header
that are supposed to be carried.

Add iph and th pointers to make the code more readable.

[1]

BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
  ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
  ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
  ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
  __release_sock+0x1da/0x330 net/core/sock.c:3072
  release_sock+0x6b/0x250 net/core/sock.c:3626
  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4091 [inline]
  slab_alloc_node mm/slub.c:4134 [inline]
  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
  alloc_skb include/linux/skbuff.h:1322 [inline]
  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Fixes: b5451d783a ("slip: Move the SLIP drivers")
Reported-by: syzbot+2ada1bc857496353be5a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/670646db.050a0220.3f80e.0027.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241009091132.2136321-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2024-10-10 09:06:32 -07:00
..
accel dma-mapping updates for linux 6.12 2024-09-19 11:12:49 +02:00
accessibility
acpi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
amba
android
ata move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
atm
auxdisplay move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
base move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
bcma
block move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
bluetooth Bluetooth: btusb: Don't fail external suspend requests 2024-10-04 16:54:25 -04:00
bus Driver core update for 6.12-rc1 2024-09-27 08:48:37 -07:00
cache
cdrom
cdx
char move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
clk move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
clocksource Updates for x86 timers: 2024-09-17 15:27:01 +02:00
comedi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
connector
counter move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
cpufreq move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
cpuidle pmdomain core: 2024-09-18 10:49:45 +02:00
crypto move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
cxl move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
dax
dca
devfreq
dio
dma soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
dma-buf drm next for 6.12-rc1 2024-09-19 10:18:15 +02:00
dpll
edac - Drop a now obsolete ppc4xx_edac driver 2024-09-16 06:36:37 +02:00
eisa
extcon Char/Misc and other driver changes for 6.12-rc1 2024-09-26 10:13:08 -07:00
firewire move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
firmware move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
fpga move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
fsi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
gnss [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
gpio [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
gpu move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
greybus move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
hid Getting rid of asm/unaligned.h includes 2024-10-02 16:42:28 -07:00
hsi
hte
hv drm next for 6.12-rc1 2024-09-19 10:18:15 +02:00
hwmon move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
hwspinlock
hwtracing [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
i2c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
i3c i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition 2024-09-17 16:51:45 +02:00
idle intel_idle: fix ACPI _CST matching for newer Xeon platforms 2024-09-25 22:30:33 +02:00
iio move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
infiniband [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
input Getting rid of asm/unaligned.h includes 2024-10-02 16:42:28 -07:00
interconnect
iommu [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
ipack
irqchip Merge tag 'irq-core-2024-09-16' into loongarch-next 2024-09-17 22:20:12 +08:00
isdn move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
leds move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
macintosh move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
mailbox mailbox, remoteproc: omap2+: fix compile testing 2024-09-27 09:11:05 -05:00
mcb
md Getting rid of asm/unaligned.h includes 2024-10-02 16:42:28 -07:00
media move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
memory
memstick move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
message SCSI misc on 20240928 2024-09-29 09:22:34 -07:00
mfd move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
misc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
mmc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
most
mtd move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
mux
net slip: make slhc_remember() more robust against malicious packets 2024-10-10 09:06:32 -07:00
nfc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
ntb ntb: Force physically contiguous allocation of rx ring buffers 2024-09-20 10:51:25 -04:00
nubus
nvdimm virtio: features, fixes, cleanups 2024-09-26 08:43:17 -07:00
nvme move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
nvmem Char/Misc and other driver changes for 6.12-rc1 2024-09-26 10:13:08 -07:00
of Kbuild updates for v6.12 2024-09-24 13:02:06 -07:00
opp
parisc
parport
pci move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
pcmcia move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
peci move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
perf RISC-V Patches for the 6.12 Merge Window, Part 1 2024-09-24 10:59:17 -07:00
phy phy-for-6.12 2024-09-23 14:05:10 -07:00
pinctrl soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
platform move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
pmdomain pmdomain: core: Reduce debug summary table width 2024-09-13 13:41:33 +02:00
pnp
power move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
powercap
pps [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
ps3
ptp move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
pwm soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
rapidio
ras
regulator regulator: sm5703: Remove because it is unused and fails to build 2024-09-13 19:08:14 +01:00
remoteproc mhu-v3, omap2+ : fix kconfig dependencies 2024-09-29 09:53:04 -07:00
reset
rpmsg rpmsg: glink: Avoid -Wflex-array-member-not-at-end warnings 2024-09-13 14:09:47 -07:00
rtc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
s390 more s390 updates for 6.12 merge window 2024-09-28 09:11:46 -07:00
sbus [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
scsi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
sh sh: intc: Replace simple_strtoul() with kstrtoul() 2024-09-26 17:25:29 +02:00
siox
slimbus
soc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
soundwire soundwire updates for 6.12 2024-09-23 14:00:46 -07:00
spi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
spmi
ssb
staging move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
target move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
tc
tee
thermal move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
thunderbolt
tty move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
ufs move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
uio
usb move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
vdpa virtio: features, fixes, cleanups 2024-09-26 08:43:17 -07:00
vfio [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
vhost move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
video move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
virt [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
virtio virtio: features, fixes, cleanups 2024-09-26 08:43:17 -07:00
w1
watchdog move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
xen xen: branch for v6.12-rc1a 2024-09-27 09:55:30 -07:00
zorro
Kconfig
Makefile