| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240119044958.1809-1-hdanton@sina.com>
Date: Fri, 19 Jan 2024 12:49:58 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+bfde3bef047a81b8fde6@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] KASAN: use-after-free Read in __skb_flow_dissect (3)
On Mon, 01 Jan 2024 09:18:16 -0800
> syzbot found the following issue on:
>
> HEAD commit: f5837722ffec Merge tag 'mm-hotfixes-stable-2023-12-27-15-0..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122dfc65e80000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/net/core/flow_dissector.c
+++ y/net/core/flow_dissector.c
@@ -1165,9 +1165,13 @@ proto_again:
case htons(ETH_P_IP): {
const struct iphdr *iph;
struct iphdr _iph;
+ const unsigned char *buf = data;
+
+ if (2 != buf[0])
+ _iph.ihl = 1;
iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
- if (!iph || iph->ihl < 5) {
+ if (nhoff < 0 || !iph || iph->ihl < 5) {
fdret = FLOW_DISSECT_RET_OUT_BAD;
break;
}
--
Powered by blists - more mailing lists