| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250408153352.GY395307@horms.kernel.org>
Date: Tue, 8 Apr 2025 16:33:52 +0100
From: Simon Horman <horms@...nel.org>
To: Arnaud Lecomte <contact@...aud-lcm.com>
Cc: Andrew Lunn <andrew+netdev@...n.ch>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
linux-ppp@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
syzbot+29fc8991b0ecb186cf40@...kaller.appspotmail.com
Subject: Re: [PATCH] net: ppp: Add bound checking for skb d on ppp_sync_txmung
On Mon, Apr 07, 2025 at 05:26:21PM +0200, Arnaud Lecomte wrote:
> Ensure we have enough data in linear buffer from skb before accessing
> initial bytes. This prevents potential out-of-bounds accesses
> when processing short packets.
>
> When ppp_sync_txmung receives an incoming package with an empty
> payload:
> (remote) gef⤠p *(struct pppoe_hdr *) (skb->head + skb->network_header)
> $18 = {
> type = 0x1,
> ver = 0x1,
> code = 0x0,
> sid = 0x2,
> length = 0x0,
> tag = 0xffff8880371cdb96
> }
>
> from the skb struct (trimmed)
> tail = 0x16,
> end = 0x140,
> head = 0xffff88803346f400 "4",
> data = 0xffff88803346f416 ":\377",
> truesize = 0x380,
> len = 0x0,
> data_len = 0x0,
> mac_len = 0xe,
> hdr_len = 0x0,
>
> it is not safe to access data[2].
>
> Reported-by: syzbot+29fc8991b0ecb186cf40@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
> Tested-by: syzbot+29fc8991b0ecb186cf40@...kaller.appspotmail.com
> Fixes: 9946eaf552b1 ("Merge tag 'hardening-v6.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux")
It doesn't seem right to use a Merge commit in a fixes tag.
Looking over the code, the access to data[2] seems to have existed since
the beginning of git history, in which case I think we can use this:
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
> ---
> drivers/net/ppp/ppp_synctty.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
> index 644e99fc3623..520d895acc60 100644
> --- a/drivers/net/ppp/ppp_synctty.c
> +++ b/drivers/net/ppp/ppp_synctty.c
> @@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
> unsigned char *data;
> int islcp;
>
> + /* Ensure we can safely access protocol field and LCP code */
> + if (!skb || !pskb_may_pull(skb, 3)) {
I doubt that skb can be NULL.
> + kfree_skb(skb);
> + return NULL;
> + }
> data = skb->data;
> proto = get_unaligned_be16(data);
>
>
> ---
> base-commit: 9946eaf552b194bb352c2945b54ff98c8193b3f1
> change-id: 20250405-bound-checking-ppp_txmung-4807c854ed85
>
> Best regards,
> --
> Arnaud Lecomte <contact@...aud-lcm.com>
>
>
Powered by blists - more mailing lists