| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250222092556.274267-1-jiayuan.chen@linux.dev> Date: Sat, 22 Feb 2025 17:25:55 +0800 From: Jiayuan Chen <jiayuan.chen@...ux.dev> To: bpf@...r.kernel.org, netdev@...r.kernel.org Cc: andrew+netdev@...n.ch, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, ricardo@...liere.net, jiayuan.chen@...ux.dev, viro@...iv.linux.org.uk, dmantipov@...dex.ru, aleksander.lobakin@...el.com, linux-ppp@...r.kernel.org, linux-kernel@...r.kernel.org, mrpre@....com, Paul Mackerras <paulus@...ba.org> Subject: [PATCH net-next v3 0/1] ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filters. Here's a detailed explanation: The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] (001) jeq #0x21 jt 2 jf 5 (002) ldb [0] (003) jeq #0x1 jt 4 jf 5 (004) ret #65535 (005) ret #0 ''' You can find similar code at the following link: https://github.com/ppp-project/ppp/blob/master/pppd/options.c#L1680 The maintainer of this code repository is also the original maintainer of the ppp driver. 3. Current problem The problem is that the skb->data generated by ppp_write() starts from the 'Protocol' field. But the BPF program skips 2 bytes of data and then reads the 'Protocol' field to determine if it's an IP packet just like the comment in 'drivers/net/ppp/ppp_generic.c': /* the filter instructions are constructed assuming a four-byte PPP header on each packet */ In the current PPP driver implementation, to correctly use the BPF filter program, a 2-byte header is added, after running the socket filter, it's restored: ''' 1768 *(u8 *)skb_push(skb, 2) = 1; 1770 bpf_prog_run() 1782 skb_pull(skb, 2); ''' The issue is that only the first byte indicating direction is initialized, while the second byte is not initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. 4. Fix The fix is simple: initialize the entire 2-byte header. Cc: Paul Mackerras <paulus@...ba.org> [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000 Jiayuan Chen (1): ppp: Fix KMSAN warning by initializing 2-byte header drivers/net/ppp/ppp_generic.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) -- 2.47.1
Powered by blists - more mailing lists