lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 19 Jan 2024 14:30:27 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, 
	Paolo Abeni <pabeni@...hat.com>, Paul Gortmaker <paul.gortmaker@...driver.com>, 
	Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org, 
	syzbot+b5ad66046b913bc04c6f@...kaller.appspotmail.com
Subject: Re: [PATCH v2 net] llc: Drop support for ETH_P_TR_802_2.

On Fri, Jan 19, 2024 at 2:55 AM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
>
> syzbot reported an uninit-value bug below. [0]
>
> llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2
> (0x0011), and syzbot abused the latter to trigger the bug.
>
>   write$tun(r0, &(0x7f0000000040)={@...={0x0, 0x11}, @val, @mpls={[], @llc={@...p={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16)
>
> llc_conn_handler() initialises local variables {saddr,daddr}.mac
> based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes
> them to __llc_lookup().
>
> However, the initialisation is done only when skb->protocol is
> htons(ETH_P_802_2), otherwise, __llc_lookup_established() and
> __llc_lookup_listener() will read garbage.
>
> The missing initialisation existed prior to commit 211ed865108e
> ("net: delete all instances of special processing for token ring").

SGTM, thanks.

Reviewed-by: Eric Dumazet <edumazet@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ