| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240118043359.1367-1-hdanton@sina.com>
Date: Thu, 18 Jan 2024 12:33:59 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+bfde3bef047a81b8fde6@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] KASAN: use-after-free Read in __skb_flow_dissect (3)
On Mon, 01 Jan 2024 09:18:16 -0800
> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/net/core/filter.c
+++ y/net/core/filter.c
@@ -2159,6 +2159,10 @@ static int __bpf_redirect_no_mac(struct
if (!skb_at_tc_ingress(skb))
skb_postpull_rcsum(skb, skb_mac_header(skb), mlen);
}
+ if (skb->tail - skb->data <= sizeof(struct iphdr)) {
+ kfree_skb(skb);
+ return -ERANGE;
+ }
skb_pop_mac_header(skb);
skb_reset_mac_len(skb);
return flags & BPF_F_INGRESS ?
--
Powered by blists - more mailing lists