From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com,
Nikolay Aleksandrov <razor@blackwall.org>,
"David S. Miller" <davem@davemloft.net>,
Randy MacLeod <Randy.MacLeod@windriver.com>
Subject: [PATCH 4.19 28/52] net: bridge: xmit: make sure we have at least eth header len bytes
Date: Fri, 15 Nov 2024 07:37:41 +0100 [thread overview]
Message-ID: <20241115063723.875638846@linuxfoundation.org> (raw)
In-Reply-To: <20241115063722.845867306@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <razor@blackwall.org>
commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc upstream.
syzbot triggered an uninit value[1] error in bridge device's xmit path
by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
we can actually pull that amount instead of assuming.
Tested with dropwatch:
drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
origin: software
timestamp: Mon May 13 11:31:53 2024 778214037 nsec
protocol: 0x88a8
length: 2
original length: 2
drop reason: PKT_TOO_SMALL
[1]
BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
__netdev_start_xmit include/linux/netdevice.h:4903 [inline]
netdev_start_xmit include/linux/netdevice.h:4917 [inline]
xmit_one net/core/dev.c:3531 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
__dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341
dev_queue_xmit include/linux/netdevice.h:3091 [inline]
__bpf_tx_skb net/core/filter.c:2136 [inline]
__bpf_redirect_common net/core/filter.c:2180 [inline]
__bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187
____bpf_clone_redirect net/core/filter.c:2460 [inline]
bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432
___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
__bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425
bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058
bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269
__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678
__do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
__x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765
x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a63a1f6a062033cf0f40
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_device.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -41,6 +41,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *
const unsigned char *dest;
u16 vid = 0;
+ if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) {
+ kfree_skb(skb);
+ return NETDEV_TX_OK;
+ }
+
memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
rcu_read_lock();
next prev parent reply other threads:[~2024-11-15 6:40 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-15 6:37 [PATCH 4.19 00/52] 4.19.324-rc1 review Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 01/52] arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 02/52] ARM: dts: rockchip: fix rk3036 acodec node Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 03/52] ARM: dts: rockchip: drop grf reference from rk3036 hdmi Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 04/52] ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 05/52] HID: core: zero-initialize the report buffer Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 06/52] security/keys: fix slab-out-of-bounds in key_task_permission Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 07/52] sctp: properly validate chunk size in sctp_sf_ootb() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 08/52] can: c_can: fix {rx,tx}_errors statistics Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 09/52] net: hns3: fix kernel crash when uninstalling driver Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 10/52] media: stb0899_algo: initialize cfr before using it Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 11/52] media: dvbdev: prevent the risk of out of memory access Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 12/52] media: dvb_frontend: dont play tricks with underflow values Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 13/52] media: adv7604: prevent underflow condition when reporting colorspace Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 14/52] ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 15/52] media: s5p-jpeg: prevent buffer overflows Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 16/52] media: cx24116: prevent overflows on SNR calculus Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 17/52] media: v4l2-tpg: prevent the risk of a division by zero Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 18/52] drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 19/52] drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 20/52] dm cache: correct the number of origin blocks to match the target length Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 21/52] dm cache: fix out-of-bounds access to the dirty bitset when resizing Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 22/52] dm cache: optimize dirty bit checking with find_next_bit " Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 23/52] dm cache: fix potential out-of-bounds access on the first resume Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 24/52] dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 25/52] nfs: Fix KMSAN warning in decode_getfattr_attrs() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 26/52] btrfs: reinitialize delayed ref list after deleting it from the list Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 27/52] bonding (gcc13): synchronize bond_{a,t}lb_xmit() types Greg Kroah-Hartman
2024-11-15 6:37 ` Greg Kroah-Hartman [this message]
2024-11-15 6:37 ` [PATCH 4.19 29/52] media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 30/52] fs/proc: fix compile warning about variable vmcore_mmap_ops Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 31/52] usb: musb: sunxi: Fix accessing an released usb phy Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 32/52] USB: serial: io_edgeport: fix use after free in debug printk Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 33/52] USB: serial: qcserial: add support for Sierra Wireless EM86xx Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 34/52] USB: serial: option: add Fibocom FG132 0x0112 composition Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 35/52] USB: serial: option: add Quectel RG650V Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 36/52] irqchip/gic-v3: Force propagation of the active state with a read-back Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 37/52] ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 38/52] ALSA: pcm: Return 0 when size < start_threshold in capture Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 39/52] ALSA: usb-audio: Add custom mixer status quirks for RME CC devices Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 40/52] ALSA: usb-audio: Support jack detection on Dell dock Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 41/52] ALSA: usb-audio: Add quirks for Dell WD19 dock Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 42/52] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 43/52] vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 44/52] ALSA: usb-audio: Add endianness annotations Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 45/52] 9p: Avoid creating multiple slab caches with the same name Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 46/52] HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 47/52] bpf: use kvzmalloc to allocate BPF verifier environment Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 48/52] sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 49/52] powerpc/powernv: Free name on error in opal_event_init() Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 50/52] fs: Fix uninitialized value issue in from_kuid and from_kgid Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 51/52] net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 52/52] 9p: fix slab cache name creation for real Greg Kroah-Hartman
2024-11-15 16:00 ` [PATCH 4.19 00/52] 4.19.324-rc1 review Harshit Mogalapalli
2024-11-15 17:55 ` Jon Hunter
2024-11-16 12:54 ` Naresh Kamboju
2024-11-16 21:18 ` Shuah Khan
2024-11-17 13:25 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241115063723.875638846@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Randy.MacLeod@windriver.com \
--cc=davem@davemloft.net \
--cc=patches@lists.linux.dev \
--cc=razor@blackwall.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+a63a1f6a062033cf0f40@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.