Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers/net
History
Eric Dumazet 9fe9feaa4c slip: make slhc_remember() more robust against malicious packets 
[ Upstream commit 7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c ]

syzbot found that slhc_remember() was missing checks against
malicious packets [1].

slhc_remember() only checked the size of the packet was at least 20,
which is not good enough.

We need to make sure the packet includes the IPv4 and TCP header
that are supposed to be carried.

Add iph and th pointers to make the code more readable.

[1]

BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
  ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
  ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
  ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
  ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
  __release_sock+0x1da/0x330 net/core/sock.c:3072
  release_sock+0x6b/0x250 net/core/sock.c:3626
  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4091 [inline]
  slab_alloc_node mm/slub.c:4134 [inline]
  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
  alloc_skb include/linux/skbuff.h:1322 [inline]
  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Fixes: b5451d783ade ("slip: Move the SLIP drivers")
Reported-by: syzbot+2ada1bc857496353be5a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/670646db.050a0220.3f80e.0027.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241009091132.2136321-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-23 23:21:52 +01:00
..
appletalk
arcnet
bonding bonding: fix xfrm state handling when clearing active slave 2024-11-23 23:20:48 +01:00
caif
can can: m_can: m_can_close(): stop clocks after device has been shut down 2024-11-23 23:21:18 +01:00
dropdump
dsa net: dsa: b53: fix jumbo frames on 10/100 ports 2024-11-23 23:21:51 +01:00
ethernet net: ibm: emac: mal: fix wrong goto 2024-11-23 23:21:51 +01:00
fddi
fjes
hamradio
hippi
hyperv
ieee802154 net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() 2024-11-23 23:21:35 +01:00
ipa
ipvlan ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound 2024-11-19 12:27:11 +01:00
mdio
netdevsim
pcs
phy net: phy: bcm84881: Fix some error handling paths 2024-11-23 23:21:51 +01:00
plip
ppp ppp: fix ppp_async_encode() illegal access 2024-11-23 23:21:52 +01:00
slip slip: make slhc_remember() more robust against malicious packets 2024-11-23 23:21:52 +01:00
team
usb usbnet: ipheth: fix carrier detection in modes 1 and 4 2024-11-23 23:21:10 +01:00
vmxnet3
vxlan vxlan: Fix regression when dropping packets due to invalid src addresses 2024-11-19 14:19:00 +01:00
wan
wimax
wireguard wireguard: send: annotate intentional data race in checking empty queue 2024-11-19 14:19:45 +01:00
wireless wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() 2024-11-23 23:21:39 +01:00
xen-netback net/xen-netback: prevent UAF in xenvif_flush_hash() 2024-11-23 23:21:37 +01:00
bareudp.c bareudp: Pull inner IP header on xmit. 2024-11-23 23:21:19 +01:00
dummy.c
eql.c
geneve.c geneve: Fix incorrect inner network header offset when innerprotoinherit is set 2024-11-23 23:21:19 +01:00
gtp.c gtp: fix a potential NULL pointer dereference 2024-11-23 23:20:55 +01:00
ifb.c
Kconfig
LICENSE.SRC
loopback.c
macsec.c
macvlan.c
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c net: netconsole: Disable target before netpoll cleanup 2024-11-23 23:20:12 +01:00
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c tap: add missing verification for short frame 2024-11-19 14:19:53 +01:00
thunderbolt.c
tun.c tun: add missing verification for short frame 2024-11-19 14:19:53 +01:00
veth.c
virtio_net.c virtio_net: Fix napi_skb_cache_put warning 2024-11-23 23:20:59 +01:00
vrf.c net: Add l3mdev index to flow struct and avoid oif reset for port devices 2024-11-23 23:21:52 +01:00
vsockmon.c
xen-netfront.c