Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers
History
Eric Dumazet 9fe9feaa4c slip: make slhc_remember() more robust against malicious packets 
[ Upstream commit 7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c ]

syzbot found that slhc_remember() was missing checks against
malicious packets [1].

slhc_remember() only checked the size of the packet was at least 20,
which is not good enough.

We need to make sure the packet includes the IPv4 and TCP header
that are supposed to be carried.

Add iph and th pointers to make the code more readable.

[1]

BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
  ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
  ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
  ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
  __release_sock+0x1da/0x330 net/core/sock.c:3072
  release_sock+0x6b/0x250 net/core/sock.c:3626
  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4091 [inline]
  slab_alloc_node mm/slub.c:4134 [inline]
  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
  alloc_skb include/linux/skbuff.h:1322 [inline]
  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Fixes: b5451d783ade ("slip: Move the SLIP drivers")
Reported-by: syzbot+2ada1bc857496353be5a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/670646db.050a0220.3f80e.0027.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241009091132.2136321-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-23 23:21:52 +01:00
..
accessibility speakup: Fix sizeof() vs ARRAY_SIZE() bug 2024-11-19 12:26:51 +01:00
acpi ACPI: battery: Fix possible crash when unregistering a battery hook 2024-11-23 23:21:48 +01:00
amba
android binder: fix UAF caused by offsets overwrite 2024-11-23 23:21:07 +01:00
ata ata: sata_sil: Rename sil_blacklist to sil_quirks 2024-11-23 23:21:40 +01:00
atm atm: idt77252: prevent use after free in dequeue_rx() 2024-11-23 23:20:43 +01:00
auxdisplay
base driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute 2024-11-23 23:21:50 +01:00
battery drivers: battery_v2: sec_battery: export {CURRENT/VOLTAGE}_MAX to sysfs 2024-11-17 17:43:14 +01:00
bcma
block aoe: fix the potential use-after-free problem in more places 2024-11-23 23:21:45 +01:00
bluetooth Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() 2024-11-23 23:21:35 +01:00
bts
bus bus: integrator-lm: fix OF node leak in probe() 2024-11-23 23:21:30 +01:00
cdrom
char virtio_console: fix misc probe bugs 2024-11-23 23:21:49 +01:00
clk clk: imx: Remove CLK_SET_PARENT_GATE for DRAM mux for i.MX7D 2024-11-23 23:21:50 +01:00
clocksource clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() 2024-11-23 23:21:20 +01:00
connector
counter counter: ti-eqep: enable clock at probe 2024-11-19 14:19:33 +01:00
cpufreq cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately 2024-11-23 23:21:18 +01:00
cpuidle cpuidle: menu: Take negative "sleep length" values into account 2024-11-19 18:01:28 +01:00
crypto crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure 2024-11-23 23:21:31 +01:00
dax
dca
devfreq PM / devfreq: Fix buffer overflow in trans_stat_show 2024-11-19 11:32:38 +01:00
dio
dma dmaengine: dw: Add memory bus width verification 2024-11-23 23:20:55 +01:00
dma-buf dma-buf/sync_file: Speed up ioctl by omitting debug names 2024-11-19 17:53:23 +01:00
edac EDAC, i10nm: make skx_common.o a separate module 2024-11-23 23:19:56 +01:00
eisa
extcon extcon: max8997: select IRQ_DOMAIN instead of depending on it 2024-11-19 12:27:04 +01:00
fingerprint
firewire firewire: nosy: ensure user_length is taken into account when fetching packet contents 2024-11-19 11:32:46 +01:00
firmware firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() 2024-11-23 23:21:42 +01:00
fpga fpga: region: add owner module and take its refcount 2024-11-19 12:27:04 +01:00
fsi
gnss
gpio gpio: aspeed: Use devm_clk api to manage clock source 2024-11-23 23:21:51 +01:00
gpu drm/amd/display: Check null pointer before dereferencing se 2024-11-23 23:21:50 +01:00
greybus greybus: Fix use-after-free bug in gb_interface_release due to race condition. 2024-11-19 14:19:05 +01:00
gud
hid HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup 2024-11-23 23:21:06 +01:00
hsi
hv Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic 2024-11-23 23:21:07 +01:00
hwmon hwmon: (ntc_thermistor) fix module autoloading 2024-11-23 23:21:20 +01:00
hwspinlock hwspinlock: Introduce hwspin_lock_bust() 2024-11-23 23:20:58 +01:00
hwtracing coresight: tmc: sg: Do not leak sg_table 2024-11-23 23:21:28 +01:00
i2c i2c: i801: Use a different adapter-name for IDF adapters 2024-11-23 23:21:50 +01:00
i3c i3c: master: cdns: Update maximum prescaler value for i2c clock 2024-11-18 12:13:19 +01:00
ide
idle
ifconn
iio iio: magnetometer: ak8975: Fix reading for ak099xx sensors 2024-11-23 23:21:45 +01:00
infiniband RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt 2024-11-23 23:21:50 +01:00
input Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal 2024-11-23 23:21:49 +01:00
interconnect interconnect: qcom: sm8250: Enable sync_state 2024-11-23 23:21:28 +01:00
iommu iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count 2024-11-23 23:21:40 +01:00
ipack
irqchip irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 2024-11-23 23:21:03 +01:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-11-23 23:20:17 +01:00
kperfmon
kq/mesh
leds leds: spi-byte: Call of_node_put() on error path 2024-11-23 23:21:03 +01:00
lightnvm
macintosh macintosh/therm_windtunnel: fix module unload. 2024-11-23 23:20:11 +01:00
mailbox mailbox: bcm2835: Fix timeout during suspend mode 2024-11-23 23:21:35 +01:00
mcb mcb: fix error handling for different scenarios when parsing 2024-11-18 11:43:25 +01:00
md Revert "dm: requeue IO if mapping table not yet available" 2024-11-23 23:21:28 +01:00
media media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() 2024-11-23 23:21:50 +01:00
memory memory: stm32-fmc2-ebi: check regmap_read return value 2024-11-23 23:20:46 +01:00
memstick
message
mfd mfd: omap-usb-tll: Use struct_size to allocate tll 2024-11-23 23:20:09 +01:00
misc VMCI: Fix use-after-free when removing resource in vmci_resource_remove() 2024-11-23 23:21:07 +01:00
mmc mmc: cqhci: Fix checking of CQHCI_HALT state 2024-11-23 23:21:09 +01:00
most
mtd mtd: powernv: Add check devm_kasprintf() returned value 2024-11-23 23:21:21 +01:00
muic
mux
net slip: make slhc_remember() more robust against malicious packets 2024-11-23 23:21:52 +01:00
nfc nfc: pn533: Add poll mod list filling check 2024-11-23 23:20:55 +01:00
ntb ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition 2024-11-23 23:21:50 +01:00
nubus
nvdimm virtio_pmem: Check device status before requesting flush 2024-11-23 23:21:50 +01:00
nvme nvmet-tcp: fix kernel crash if commands allocation fails 2024-11-23 23:21:08 +01:00
nvmem nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc 2024-11-23 23:21:07 +01:00
of of/irq: Support #msi-cells=<0> in of_msi_get_domain 2024-11-23 23:21:44 +01:00
opp OPP: debugfs: Fix warning around icc_get_name() 2024-11-19 08:44:49 +01:00
oprofile
parisc
parport dev/parport: fix the array out-of-bounds risk 2024-11-23 23:20:14 +01:00
pci PCI: Mark Creative Labs EMU20k2 INTx masking as broken 2024-11-23 23:21:50 +01:00
pcmcia pcmcia: Use resource_size function on resource object 2024-11-23 23:21:03 +01:00
perf
phy phy: tegra: xusb: Add API to retrieve the port number of phy 2024-11-19 09:22:34 +01:00
pinctrl pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function 2024-11-23 23:21:25 +01:00
platform platform/x86: touchscreen_dmi: add nanote-next quirk 2024-11-23 23:21:40 +01:00
pnp PNP: ACPI: fix fortify warning 2024-11-18 12:13:09 +01:00
power power: reset: brcmstb: Do not go into infinite loop if reset fails 2024-11-23 23:21:40 +01:00
powercap powercap: RAPL: fix invalid initialization for pl4_supported field 2024-11-23 23:21:29 +01:00
pps pps: add an error check in parport_attach 2024-11-23 23:21:34 +01:00
ps3
ptp ptp: Fix error message on failed pin verification 2024-11-19 14:19:01 +01:00
pwm pwm: stm32: Always do lazy disabling 2024-11-23 23:19:56 +01:00
rapidio
ras
regulator regulator: core: Fix modpost error "regulator_get_regmap" undefined 2024-11-19 14:19:09 +01:00
remoteproc remoteproc: imx_rproc: Skip over memory region when node value is NULL 2024-11-23 23:20:20 +01:00
reset reset: berlin: fix OF node leak in probe() error path 2024-11-23 23:21:20 +01:00
rpmsg rpmsg: virtio: Free driver_override when rpmsg_remove() 2024-11-18 12:12:56 +01:00
rtc rtc: at91sam9: fix OF node leak in probe() error path 2024-11-23 23:21:46 +01:00
s390 s390/zcore: release dump save area on restart or power down 2024-11-23 23:21:48 +01:00
samsung
sbus
scsi scsi: aacraid: Rearrange order of struct aac_srb_unit 2024-11-23 23:21:41 +01:00
sensorhub
sensors
sfi
sh
siox
slimbus slimbus: core: Remove usage of the deprecated ida_simple_xx() API 2024-11-19 09:22:34 +01:00
soc soc: versatile: realview: fix soc_dev leak during device remove 2024-11-23 23:21:34 +01:00
soundwire soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" 2024-11-23 23:21:13 +01:00
spi spi: bcm63xx: Fix module autoloading 2024-11-23 23:21:42 +01:00
spmi
spu_verify
ssb ssb: Fix division by zero issue in ssb_calc_clock_rate 2024-11-23 23:20:44 +01:00
staging minmax: reduce min/max macro expansion in atomisp driver 2024-11-23 23:21:12 +01:00
sti
target target/file: allocate the bvec array as part of struct target_core_file_cmd 2024-11-19 17:42:15 +01:00
tc
tee tee: optee: Fix kernel panic caused by incorrect error handling 2024-11-19 09:22:39 +01:00
thermal thermal: core: prevent potential string overflow 2024-11-18 11:42:50 +01:00
thunderbolt thunderbolt: Mark XDomain as unplugged when router is removed 2024-11-23 23:20:42 +01:00
tty tty: rp2: Fix reset with non forgiving PCIe host bridges 2024-11-23 23:21:31 +01:00
uh
uio Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic 2024-11-23 23:21:07 +01:00
usb usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario 2024-11-23 23:21:50 +01:00
vdpa
vfio vfio/fsl-mc: Block calling interrupt handler without trigger 2024-11-19 09:22:45 +01:00
vhost vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() 2024-11-23 23:21:48 +01:00
vibrator
video fbdev: sisfb: Fix strbuf array overflow 2024-11-23 23:21:50 +01:00
virt
virtio vdpa: Add eventfd for the vdpa callback 2024-11-23 23:21:28 +01:00
vision
vision3
visorbus
vlynq
vme
w1
watchdog watchdog: imx_sc_wdt: Don't disable WDT in suspend 2024-11-23 23:21:25 +01:00
xen xen/swiotlb: add alignment check for dma buffers 2024-11-23 23:21:22 +01:00
zorro
Kconfig Added KernelSU 2024-11-19 22:44:48 +01:00
Kconfig.variant1
kernelsu Added KernelSU 2024-11-19 22:44:48 +01:00
Makefile Added KernelSU 2024-11-19 22:44:48 +01:00
Makefile.variant1