| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ba2f508e-20b1-4b5a-b512-a85efcf9ad50@arnaud-lcm.com>
Date: Tue, 8 Apr 2025 17:58:39 +0200
From: Arnaud Lecomte <contact@...aud-lcm.com>
To: Simon Horman <horms@...nel.org>
Cc: Andrew Lunn <andrew+netdev@...n.ch>, "David S. Miller"
<davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
linux-ppp@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
syzbot+29fc8991b0ecb186cf40@...kaller.appspotmail.com
Subject: Re: [PATCH] net: ppp: Add bound checking for skb d on ppp_sync_txmung
Thanks for the review.
You're right, using a merge commit in the `Fixes:` tag was not relevant.
I'll send a v2 shortly with the fix as well as the removal of the skb
check as it is already done before.
On 08/04/2025 17:33, Simon Horman wrote:
> On Mon, Apr 07, 2025 at 05:26:21PM +0200, Arnaud Lecomte wrote:
>> Ensure we have enough data in linear buffer from skb before accessing
>> initial bytes. This prevents potential out-of-bounds accesses
>> when processing short packets.
>>
>> When ppp_sync_txmung receives an incoming package with an empty
>> payload:
>> (remote) gef⤠p *(struct pppoe_hdr *) (skb->head + skb->network_header)
>> $18 = {
>> type = 0x1,
>> ver = 0x1,
>> code = 0x0,
>> sid = 0x2,
>> length = 0x0,
>> tag = 0xffff8880371cdb96
>> }
>>
>> from the skb struct (trimmed)
>> tail = 0x16,
>> end = 0x140,
>> head = 0xffff88803346f400 "4",
>> data = 0xffff88803346f416 ":\377",
>> truesize = 0x380,
>> len = 0x0,
>> data_len = 0x0,
>> mac_len = 0xe,
>> hdr_len = 0x0,
>>
>> it is not safe to access data[2].
>>
>> Reported-by: syzbot+29fc8991b0ecb186cf40@...kaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
>> Tested-by: syzbot+29fc8991b0ecb186cf40@...kaller.appspotmail.com
>> Fixes: 9946eaf552b1 ("Merge tag 'hardening-v6.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux")
> It doesn't seem right to use a Merge commit in a fixes tag.
>
> Looking over the code, the access to data[2] seems to have existed since
> the beginning of git history, in which case I think we can use this:
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>
>> Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
>> ---
>> drivers/net/ppp/ppp_synctty.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
>> index 644e99fc3623..520d895acc60 100644
>> --- a/drivers/net/ppp/ppp_synctty.c
>> +++ b/drivers/net/ppp/ppp_synctty.c
>> @@ -506,6 +506,11 @@ ppp_sync_txmunge(struct syncppp *ap, struct sk_buff *skb)
>> unsigned char *data;
>> int islcp;
>>
>> + /* Ensure we can safely access protocol field and LCP code */
>> + if (!skb || !pskb_may_pull(skb, 3)) {
> I doubt that skb can be NULL.
>
>> + kfree_skb(skb);
>> + return NULL;
>> + }
>> data = skb->data;
>> proto = get_unaligned_be16(data);
>>
>>
>> ---
>> base-commit: 9946eaf552b194bb352c2945b54ff98c8193b3f1
>> change-id: 20250405-bound-checking-ppp_txmung-4807c854ed85
>>
>> Best regards,
>> --
>> Arnaud Lecomte <contact@...aud-lcm.com>
>>
>>
Powered by blists - more mailing lists