| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<SYBPR01MB78810A9BF01E403BFD95F871AFADA@SYBPR01MB7881.ausprd01.prod.outlook.com>
Date: Mon, 15 Dec 2025 11:33:37 +0000
From: Junrui Luo <moonafterrain@...look.com>
To: David Laight <david.laight.linux@...il.com>
CC: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>, Simon Horman <horms@...nel.org>, Sjur Braendeland
<sjur.brandeland@...ricsson.com>, "netdev@...r.kernel.org"
<netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, Yuhao Jiang <danisjiang@...il.com>
Subject: Re: [PATCH] caif: fix integer underflow in cffrml_receive()
On Thu, Dec 11, 2025 at 01:26:16PM +0000, David Laight wrote:
> On Thu, 04 Dec 2025 21:30:47 +0800
> Junrui Luo <moonafterrain@...look.com> wrote:
>
> > The cffrml_receive() function extracts a length field from the packet
> > header and, when FCS is disabled, subtracts 2 from this length without
> > validating that len >= 2.
> >
> > If an attacker sends a malicious packet with a length field of 0 or 1
> > to an interface with FCS disabled, the subtraction causes an integer
> > underflow.
> >
> > This can lead to memory exhaustion and kernel instability, potential
> > information disclosure if padding contains uninitialized kernel memory.
> >
> > Fix this by validating that len >= 2 before performing the subtraction.
> >
> > Reported-by: Yuhao Jiang <danisjiang@...il.com>
> > Reported-by: Junrui Luo <moonafterrain@...look.com>
> > Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
> > Signed-off-by: Junrui Luo <moonafterrain@...look.com>
> > ---
> > net/caif/cffrml.c | 9 ++++++++-
> > 1 file changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/caif/cffrml.c b/net/caif/cffrml.c
> > index 6651a8dc62e0..d4d63586053a 100644
> > --- a/net/caif/cffrml.c
> > +++ b/net/caif/cffrml.c
> > @@ -92,8 +92,15 @@ static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt)
> > len = le16_to_cpu(tmp);
> >
> > /* Subtract for FCS on length if FCS is not used. */
> > - if (!this->dofcs)
> > + if (!this->dofcs) {
> > + if (len < 2) {
> > + ++cffrml_rcv_error;
> > + pr_err("Invalid frame length (%d)\n", len);
>
> Doesn't that let the same remote attacker flood the kernel message buffer?
Thanks for the review and suggestion. Please let me know if you'd like me to
repost a patch removing pr_err(), or if there is a preferred alternative.
>
> David
>
> > + cfpkt_destroy(pkt);
> > + return -EPROTO;
> > + }
> > len -= 2;
> > + }
> >
> > if (cfpkt_setlen(pkt, len) < 0) {
> > ++cffrml_rcv_error;
> >
> > ---
> > base-commit: 559e608c46553c107dbba19dae0854af7b219400
> > change-id: 20251204-fixes-23393d72bfc8
> >
> > Best regards,
>
Thanks,
Junrui Luo
Powered by blists - more mailing lists