| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250221061219.295590-2-jiayuan.chen@linux.dev>
Date: Fri, 21 Feb 2025 14:12:19 +0800
From: Jiayuan Chen <jiayuan.chen@...ux.dev>
To: bpf@...r.kernel.org,
netdev@...r.kernel.org
Cc: andrew+netdev@...n.ch,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
horms@...nel.org,
ricardo@...liere.net,
jiayuan.chen@...ux.dev,
viro@...iv.linux.org.uk,
dmantipov@...dex.ru,
aleksander.lobakin@...el.com,
linux-ppp@...r.kernel.org,
linux-kernel@...r.kernel.org,
mrpre@....com,
syzbot+853242d9c9917165d791@...kaller.appspotmail.com
Subject: [PATCH net-next v2 1/1] ppp: Fix KMSAN warning by initializing 2-byte header
The ppp program adds a 2-byte pseudo-header for socket filters, which is
normally skipped by regular BPF programs generated by libpcap, causing no
issues.
However, for abnormal BPF programs that use these uninitialized 2 bytes,
a KMSAN warning is triggered.
Reported-by: syzbot+853242d9c9917165d791@...kaller.appspotmail.com
Closes: https://lore.kernel.org/bpf/000000000000dea025060d6bc3bc@google.com/
Signed-off-by: Jiayuan Chen <jiayuan.chen@...ux.dev>
---
drivers/net/ppp/ppp_generic.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 4583e15ad03a..ac95196c85df 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1762,10 +1762,16 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
if (proto < 0x8000) {
#ifdef CONFIG_PPP_FILTER
- /* check if we should pass this packet */
- /* the filter instructions are constructed assuming
- a four-byte PPP header on each packet */
- *(u8 *)skb_push(skb, 2) = 1;
+ /* Check if we should pass this packet.
+ * BPF filter instructions assume each PPP packet has a 4-byte
+ * header (e.g., those generated by libpcap), and then default
+ * to skipping the first 2 bytes at the beginning of the
+ * instruction. However, we still need to initialize these
+ * 2-byte new headers to prevent crafted BPF programs from
+ * reading them which would cause reading of uninitialized
+ * data. Here, we set the headers according to the RFC 1662.
+ */
+ *(u16 *)skb_push(skb, 2) = htons(0xff03);
if (ppp->pass_filter &&
bpf_prog_run(ppp->pass_filter, skb) == 0) {
if (ppp->debug & 1)
--
2.47.1
Powered by blists - more mailing lists