Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-09-20 15:03:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
7b3ba18703
linux/net
History
Willem de Bruijn 7b3ba18703 llc: verify mac len before reading mac header 
LLC reads the mac header with eth_hdr without verifying that the skb
has an Ethernet header.

Syzbot was able to enter llc_rcv on a tun device. Tun can insert
packets without mac len and with user configurable skb->protocol
(passing a tun_pi header when not configuring IFF_NO_PI).

    BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
    BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
    llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
    llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
    llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218
    __netif_receive_skb_one_core net/core/dev.c:5523 [inline]
    __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
    netif_receive_skb_internal net/core/dev.c:5723 [inline]
    netif_receive_skb+0x58/0x660 net/core/dev.c:5782
    tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
    tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002

Add a mac_len test before all three eth_hdr(skb) calls under net/llc.

There are further uses in include/net/llc_pdu.h. All these are
protected by a test skb->protocol == ETH_P_802_2. Which does not
protect against this tun scenario.

But the mac_len test added in this patch in llc_fixup_skb will
indirectly protect those too. That is called from llc_rcv before any
other LLC code.

It is tempting to just add a blanket mac_len check in llc_rcv, but
not sure whether that could break valid LLC paths that do not assume
an Ethernet header. 802.2 LLC may be used on top of non-802.3
protocols in principle. The below referenced commit shows that used
to, on top of Token Ring.

At least one of the three eth_hdr uses goes back to before the start
of git history. But the one that syzbot exercises is introduced in
this commit. That commit is old enough (2008), that effectively all
stable kernels should receive this.

Fixes: f83f1768f8 ("[LLC]: skb allocation size for responses")
Reported-by: syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com
Signed-off-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20231025234251.3796495-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-11-01 22:21:32 -07:00
..
6lowpan
9p
802 net: fill in MODULE_DESCRIPTION()s under net/802* 2023-10-28 11:29:28 +01:00
8021q net: fill in MODULE_DESCRIPTION()s under net/802* 2023-10-28 11:29:28 +01:00
appletalk appletalk: remove special handling code for ipddp 2023-10-13 17:59:32 -07:00
atm net: atm: Remove redundant check. 2023-10-23 08:45:25 +01:00
ax25 net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-24 10:51:39 -07:00
bluetooth Bluetooth: hci_sync: Fix Opcode prints in bt_dev_dbg/err 2023-10-23 11:05:32 -07:00
bpf bpf: Prevent inlining of bpf_fentry_test7() 2023-08-30 08:36:17 +02:00
bpfilter
bridge net: bridge: fill in MODULE_DESCRIPTION() 2023-10-27 11:16:44 +01:00
caif
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-12 17:07:34 -07:00
ceph Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-19 13:29:01 -07:00
core Follow up to networking PR for 6.7 2023-11-01 16:33:20 -10:00
dcb
dccp tcp: record last received ipv6 flowlabel 2023-10-10 10:02:59 +02:00
devlink netlink: specs: devlink: add forgotten port function caps enum values 2023-11-01 22:13:43 -07:00
dns_resolver
dsa net: dsa: Rename IFLA_DSA_MASTER to IFLA_DSA_CONDUIT 2023-10-24 13:08:14 -07:00
ethernet
ethtool ethtool: untangle the linkmode and ethtool headers 2023-10-20 12:47:33 +01:00
handshake Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-26 13:46:28 -07:00
hsr net: hsr: Add __packed to struct hsr_sup_tlv. 2023-09-18 08:26:19 +01:00
ieee802154 sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
ife
ipv4 net: tcp: remove call to obsolete crypto_ahash_alignmask() 2023-10-31 13:11:51 -07:00
ipv6 ipsec-next-2023-10-28 2023-10-30 14:36:57 -07:00
iucv
kcm kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). 2023-09-14 10:43:51 +02:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-05 13:16:47 -07:00
l3mdev
lapb
llc llc: verify mac len before reading mac header 2023-11-01 22:21:32 -07:00
mac80211 wireless-next patches for v6.7 2023-10-26 20:27:58 -07:00
mac802154
mctp mctp: perform route lookups under a RCU read-side lock 2023-10-10 19:43:22 -07:00
mpls networking: Update to register_net_sysctl_sz 2023-08-15 15:26:18 -07:00
mptcp mptcp: define more local variables sk 2023-10-27 08:47:30 -07:00
ncsi ncsi: Propagate carrier gain/loss events to the NCSI controller 2023-09-18 07:06:05 +01:00
netfilter ipsec-next-2023-10-28 2023-10-30 14:36:57 -07:00
netlabel
netlink genetlink: don't merge dumpit split op for different cmds into single iter 2023-10-23 16:11:53 -07:00
netrom net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
nfc nfc: nci: fix possible NULL pointer dereference in send_acknowledge() 2023-10-16 17:34:53 -07:00
nsh
openvswitch net: openvswitch: Annotate struct mask_array with __counted_by 2023-10-17 13:56:03 +02:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-12 17:07:34 -07:00
phonet
psample
qrtr
rds net: prevent address rewrite in kernel_bind() 2023-10-01 19:31:29 +01:00
rfkill net: rfkill: reduce data->mtx scope in rfkill_fop_open 2023-10-11 16:55:10 +02:00
rose net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
rxrpc
sched net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-05 13:16:47 -07:00
smc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-19 13:29:01 -07:00
strparser
sunrpc NFSD 6.7 Release Notes 2023-10-30 10:12:29 -10:00
switchdev
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-05 13:16:47 -07:00
tls tls: don't reset prot->aad_size and prot->tail_size for TLS_HW 2023-10-23 10:15:09 -07:00
unix af_unix: Remove module remnants. 2023-10-27 09:12:47 -07:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-26 13:46:28 -07:00
wireless wireless-next patches for v6.7 2023-10-26 20:27:58 -07:00
x25 net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
xdp xsk: Avoid starving the xsk further down the list 2023-10-24 11:55:36 +02:00
xfrm ipsec-next-2023-10-28 2023-10-30 14:36:57 -07:00
compat.c
devres.c
Kconfig net: add skb_segment kunit test 2023-10-11 10:39:01 +01:00
Kconfig.debug
Makefile
socket.c for-6.7/io_uring-sockopt-2023-10-30 2023-11-01 11:16:34 -10:00
sysctl_net.c sysctl: Add size to register_net_sysctl function 2023-08-15 15:26:17 -07:00