Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers/net
History
Eric Dumazet da367d7cf1 ppp: fix ppp_async_encode() illegal access 
[ Upstream commit 40dddd4b8bd08a69471efd96107a4e1c73fabefc ]

syzbot reported an issue in ppp_async_encode() [1]

In this case, pppoe_sendmsg() is called with a zero size.
Then ppp_async_encode() is called with an empty skb.

BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
 BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
  ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
  ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
  ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634
  ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
  ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
  __release_sock+0x1da/0x330 net/core/sock.c:3072
  release_sock+0x6b/0x250 net/core/sock.c:3626
  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4092 [inline]
  slab_alloc_node mm/slub.c:4135 [inline]
  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
  alloc_skb include/linux/skbuff.h:1322 [inline]
  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+1d121645899e7692f92a@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20241009185802.3763282-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-23 23:21:52 +01:00
..
appletalk
arcnet
bonding bonding: fix xfrm state handling when clearing active slave 2024-11-23 23:20:48 +01:00
caif
can can: m_can: m_can_close(): stop clocks after device has been shut down 2024-11-23 23:21:18 +01:00
dropdump
dsa net: dsa: b53: fix jumbo frames on 10/100 ports 2024-11-23 23:21:51 +01:00
ethernet net: ibm: emac: mal: fix wrong goto 2024-11-23 23:21:51 +01:00
fddi
fjes
hamradio
hippi
hyperv
ieee802154 net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() 2024-11-23 23:21:35 +01:00
ipa
ipvlan ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound 2024-11-19 12:27:11 +01:00
mdio
netdevsim
pcs
phy net: phy: bcm84881: Fix some error handling paths 2024-11-23 23:21:51 +01:00
plip
ppp ppp: fix ppp_async_encode() illegal access 2024-11-23 23:21:52 +01:00
slip
team
usb usbnet: ipheth: fix carrier detection in modes 1 and 4 2024-11-23 23:21:10 +01:00
vmxnet3
vxlan vxlan: Fix regression when dropping packets due to invalid src addresses 2024-11-19 14:19:00 +01:00
wan
wimax
wireguard wireguard: send: annotate intentional data race in checking empty queue 2024-11-19 14:19:45 +01:00
wireless wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() 2024-11-23 23:21:39 +01:00
xen-netback net/xen-netback: prevent UAF in xenvif_flush_hash() 2024-11-23 23:21:37 +01:00
bareudp.c bareudp: Pull inner IP header on xmit. 2024-11-23 23:21:19 +01:00
dummy.c
eql.c
geneve.c geneve: Fix incorrect inner network header offset when innerprotoinherit is set 2024-11-23 23:21:19 +01:00
gtp.c gtp: fix a potential NULL pointer dereference 2024-11-23 23:20:55 +01:00
ifb.c
Kconfig
LICENSE.SRC
loopback.c
macsec.c
macvlan.c
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c net: netconsole: Disable target before netpoll cleanup 2024-11-23 23:20:12 +01:00
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c tap: add missing verification for short frame 2024-11-19 14:19:53 +01:00
thunderbolt.c
tun.c tun: add missing verification for short frame 2024-11-19 14:19:53 +01:00
veth.c
virtio_net.c virtio_net: Fix napi_skb_cache_put warning 2024-11-23 23:20:59 +01:00
vrf.c net: Add l3mdev index to flow struct and avoid oif reset for port devices 2024-11-23 23:21:52 +01:00
vsockmon.c
xen-netfront.c