[PATCH net] slip: fix slab-out-of-bounds write in slhc_uncompress()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Weiming Shi <bestswngs@gmail.com>
To: Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Hans Verkuil <hverkuil+cisco@kernel.org>,
	Alex Deucher <alexander.deucher@amd.com>,
	Ian Rogers <irogers@google.com>,
	Jonathan Cameron <Jonathan.Cameron@huawei.com>,
	Kees Cook <kees@kernel.org>, Ingo Molnar <mingo@kernel.org>,
	Alan Cox <alan@linux.intel.com>,
	netdev@vger.kernel.org, Weiming Shi <bestswngs@gmail.com>,
	Simon Horman <horms@kernel.org>
Subject: [PATCH net] slip: fix slab-out-of-bounds write in slhc_uncompress()
Date: Thu, 16 Apr 2026 05:34:00 +0800	[thread overview]
Message-ID: <20260415213359.335657-2-bestswngs@gmail.com> (raw)

sl_bump() reserves only 80 bytes of expansion headroom before calling
slhc_uncompress(), but the reconstructed IP + TCP header is up to
ip->ihl*4 + thp->doff*4 bytes. IHL and TCP doff are 4-bit fields and
both can legitimately reach 15, so the header can grow to 2*15*4 =
120 bytes. A VJ-uncompressed primer with ihl=15, doff=15 followed by
a compressed frame of size buffsize - 80 therefore writes up to
33 bytes past the kmalloc(buffsize + 4) rbuff allocation, with
attacker-controlled content:

 BUG: KASAN: slab-out-of-bounds in slhc_uncompress
 Write of size 1069 at addr ffff88800ba93078 by task kworker/u8:1/32
 Workqueue: events_unbound flush_to_ldisc
 Call Trace:
  __asan_memmove+0x3f/0x70
  slhc_uncompress (drivers/net/slip/slhc.c:614)
  slip_receive_buf (drivers/net/slip/slip.c:342)
  tty_ldisc_receive_buf
  flush_to_ldisc

Raise the reservation to match the real worst case. The ppp_generic
receive path already enforces skb_tailroom >= 124 and is unaffected.

Fixes: b5451d783ade ("slip: Move the SLIP drivers")
Reported-by: Simon Horman <horms@kernel.org>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
---
 drivers/net/slip/slip.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index 820e1a8fc9560..37af7cbe7f81d 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -333,9 +333,13 @@ static void sl_bump(struct slip *sl)
 				printk(KERN_WARNING "%s: compressed packet ignored\n", dev->name);
 				return;
 			}
-			/* make sure we've reserved enough space for uncompress
-			   to use */
-			if (count + 80 > sl->buffsize) {
+			/* slhc_uncompress() prepends up to
+			 * ip->ihl * 4 + thp->doff * 4 bytes of reconstructed
+			 * IPv4 + TCP header. IHL and doff are 4-bit fields
+			 * (max 15) counting 4-byte units, so the header is
+			 * at most 2 * 15 * 4 = 120 bytes.
+			 */
+			if (count + 2 * 15 * 4 > sl->buffsize) {
 				dev->stats.rx_over_errors++;
 				return;
 			}
-- 
2.43.0

next             reply	other threads:[~2026-04-15 21:39 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-15 21:34 Weiming Shi [this message]
2026-04-19 14:27 ` [PATCH net] slip: fix slab-out-of-bounds write in slhc_uncompress() Simon Horman
2026-04-19 14:56   ` Simon Horman
2026-04-19 14:27 ` Simon Horman
2026-04-19 14:32   ` Simon Horman
2026-04-19 14:57     ` Simon Horman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:820e1a8fc956 dfblob:37af7cbe7f81 )
 OR (
bs:"[PATCH net] slip: fix slab-out-of-bounds write in slhc_uncompress()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260415213359.335657-2-bestswngs@gmail.com \
    --to=bestswngs@gmail.com \
    --cc=Jonathan.Cameron@huawei.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@linux.intel.com \
    --cc=alexander.deucher@amd.com \
    --cc=andrew+netdev@lunn.ch \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=hverkuil+cisco@kernel.org \
    --cc=irogers@google.com \
    --cc=kees@kernel.org \
    --cc=kuba@kernel.org \
    --cc=mingo@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.