lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 Sep 2018 18:52:54 +0200
From:   Guillaume Nault <g.nault@...halink.fr>
To:     Eric Dumazet <eric.dumazet@...il.com>
Cc:     Alexander Potapenko <glider@...gle.com>,
        syzbot+f5f6080811c849739212@...kaller.appspotmail.com,
        LKML <linux-kernel@...r.kernel.org>, mostrows@...thlink.net,
        Networking <netdev@...r.kernel.org>,
        syzkaller-bugs@...glegroups.com
Subject: Re: KMSAN: uninit-value in pppoe_rcv

On Thu, Sep 13, 2018 at 06:57:54AM -0700, Eric Dumazet wrote:
> 
> 
> I guess the following patch would fix the issue
> 
> (I will submit it more formally)
>
Hi Eric,

Do you still plan to submit this patch? Otherwise I can take care of it.


> diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
> index ce61231e96ea5fe27f512fbd0d80d4609997e508..333e967ed968ea3ff2dda25289f7f657263db2b9 100644
> --- a/drivers/net/ppp/pppoe.c
> +++ b/drivers/net/ppp/pppoe.c
> @@ -423,6 +423,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
>         struct pppoe_hdr *ph;
>         struct pppox_sock *po;
>         struct pppoe_net *pn;
> +       __be16 sid;
>         int len;
>  
>         skb = skb_share_check(skb, GFP_ATOMIC);
> @@ -434,6 +435,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
>  
>         ph = pppoe_hdr(skb);
>         len = ntohs(ph->length);
> +       sid = ph->sid;
>  
>         skb_pull_rcsum(skb, sizeof(*ph));
>         if (skb->len < len)
> @@ -447,7 +449,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
>         /* Note that get_item does a sock_hold(), so sk_pppox(po)
>          * is known to be safe.
>          */
> -       po = get_item(pn, ph->sid, eth_hdr(skb)->h_source, dev->ifindex);
> +       po = get_item(pn, sid, eth_hdr(skb)->h_source, dev->ifindex);
>         if (!po)
>                 goto drop;
> 
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ