| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250221061219.295590-1-jiayuan.chen@linux.dev> Date: Fri, 21 Feb 2025 14:12:18 +0800 From: Jiayuan Chen <jiayuan.chen@...ux.dev> To: bpf@...r.kernel.org, netdev@...r.kernel.org Cc: andrew+netdev@...n.ch, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, ricardo@...liere.net, jiayuan.chen@...ux.dev, viro@...iv.linux.org.uk, dmantipov@...dex.ru, aleksander.lobakin@...el.com, linux-ppp@...r.kernel.org, linux-kernel@...r.kernel.org, mrpre@....com Subject: [PATCH net-next v2 0/1] ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filters. Here's a detailed explanation: 1. PPP protocol format The PPP protocol format looks like this: |<-------------------------- 7 - 1508 bytes --------------------------->| +---0x7E---+---0xFF---+---0x03---+----------+---------------+----------+---0x7E---- | Flag | Address | Control | Protocol | Information | FCS | Flag | | 01111110 | 11111111 | 00000011 | 8/16bits | * | 16 bits | 01111110 | +----------+----------+----------+----------+---------------+----------+----------- 2. Normal BPF program For example, when filtering IP over PPP, libpcap generates BPF instructions like this: ''' tcpdump -d ip -y PPP (000) ldh [2] (001) jeq #0x21 jt 2 jf 3 (002) ret #262144 (003) ret ''' 2 bytes data are skipped by bpf program and then bpf program reads the 'Protocol' field to determine if it's an IP packet. Clearly, libpcap assumes the packet starts from the Address field, just like the comment in 'drivers/net/ppp/ppp_generic.c': /* the filter instructions are constructed assuming a four-byte PPP header on each packet */ Corresponding libpcap code is here: https://github.com/the-tcpdump-group/libpcap/blob/master/gencode.c#L1421 3. Current problem The problem is that the skb->data generated by ppp_write() starts from the 'Protocol' field. In the current implementation, to correctly use the BPF filter program, a 2-byte header is added to simulate the presence of Address and Control fields. And then, after running the socket filter, it's restored: 1768 *(u8 *)skb_push(skb, 2) = 1; 1770 bpf_prog_run() 1782 skb_pull(skb, 2); The thing is, only one byte of the new 2-byte header is initialized. For normal BPF programs generated by libpcap, uninitialized data won't be used, so it's not a problem. However, for carefully crafted BPF programs, such as those generated by syzkaller [2], which start reading from offset 0, the uninitialized data will be used and caught by KMSAN. 4. Fix The fix is simple: initialize the entire 2-byte header. [1] https://syzkaller.appspot.com/bug?extid=853242d9c9917165d791 [2] https://syzkaller.appspot.com/text?tag=ReproC&x=11994913980000 --- v1 -> v2: https://lore.kernel.org/linux-ppp/20250218133145.265313-1-jiayuan.chen@linux.dev/T/#t Add more comments. Correctly initialize on big-endian and little-endian systems. --- Jiayuan Chen (1): ppp: Fix KMSAN warning by initializing 2-byte header drivers/net/ppp/ppp_generic.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) -- 2.47.1
Powered by blists - more mailing lists