| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250906012016.58856-1-disclosure@aisle.com>
Date: Sat, 6 Sep 2025 04:20:16 +0300
From: Stanislav Fort <stanislav.fort@...le.com>
To: netdev@...r.kernel.org
Cc: davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
horms@...nel.org,
linux-hams@...r.kernel.org,
linux-kernel@...r.kernel.org,
security@...nel.org,
Stanislav Fort <disclosure@...le.com>,
stable@...r.kernel.org
Subject: [PATCH net v4] netrom: linearize and validate lengths in nr_rx_frame()
Linearize skb and add targeted length checks in nr_rx_frame() to
prevent out-of-bounds reads and potential use-after-free (UAF) when
processing malformed NET/ROM frames.
- Require skb to be linear and at least NR_NETWORK_LEN +
NR_TRANSPORT_LEN (20 bytes) before reading
network/transport fields.
- For existing sockets path, ensure NR_CONNACK includes the window
byte (>= 21 bytes).
- For CONNREQ handling, ensure window (byte 20) and user address
(bytes 21-27) are present (>= 28 bytes).
- Preserve existing BPQ extension handling:
- NR_CONNACK len == 22 -> 1 extra byte (TTL)
- NR_CONNREQ len == 37 -> 2 extra bytes (timeout)
These validations block malformed frames from triggering bounds
violations via short skbs. Because NET/ROM frames may originate from
remote peers, the issue is externally triggerable and therefore
security-relevant.
Suggested-by: Eric Dumazet <edumazet@...gle.com>
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@...r.kernel.org
Signed-off-by: Stanislav Fort <disclosure@...le.com>
---
Changes since v3:
- Wrap commit message at 74 columns
- Add Fixes tag and Cc: stable
- Drop Reported-by
- Add Reviewed-by from Eric Dumazet
---
net/netrom/af_netrom.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 3331669d8e33..f0660dd6d3b0 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -885,6 +885,11 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
/*
* skb->data points to the netrom frame start
*/
+ if (skb_linearize(skb))
+ return 0;
+ if (skb->len < NR_NETWORK_LEN + NR_TRANSPORT_LEN)
+ return 0;
+
src = (ax25_address *)(skb->data + 0);
dest = (ax25_address *)(skb->data + 7);
@@ -927,6 +932,11 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
}
if (sk != NULL) {
+ if (frametype == NR_CONNACK &&
+ skb->len < NR_NETWORK_LEN + NR_TRANSPORT_LEN + 1) {
+ sock_put(sk);
+ return 0;
+ }
bh_lock_sock(sk);
skb_reset_transport_header(skb);
@@ -961,10 +971,14 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
return 0;
}
- sk = nr_find_listener(dest);
+ /* Need window (byte 20) and user address (bytes 21-27) */
+ if (skb->len < NR_NETWORK_LEN + NR_TRANSPORT_LEN + 1 + AX25_ADDR_LEN)
+ return 0;
user = (ax25_address *)(skb->data + 21);
+ sk = nr_find_listener(dest);
+
if (sk == NULL || sk_acceptq_is_full(sk) ||
(make = nr_make_new(sk)) == NULL) {
nr_transmit_refusal(skb, 0);
--
2.39.3 (Apple Git-146)
Powered by blists - more mailing lists