[PATCH 4.14 37/45] llc: verify mac len before reading mac header

patches.lists.linux.dev archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev,
	syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com,
	Willem de Bruijn <willemb@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 37/45] llc: verify mac len before reading mac header
Date: Wed, 15 Nov 2023 14:33:14 -0500	[thread overview]
Message-ID: <20231115191421.774444290@linuxfoundation.org> (raw)
In-Reply-To: <20231115191419.641552204@linuxfoundation.org>

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <willemb@google.com>

[ Upstream commit 7b3ba18703a63f6fd487183b9262b08e5632da1b ]

LLC reads the mac header with eth_hdr without verifying that the skb
has an Ethernet header.

Syzbot was able to enter llc_rcv on a tun device. Tun can insert
packets without mac len and with user configurable skb->protocol
(passing a tun_pi header when not configuring IFF_NO_PI).

    BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
    BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
    llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
    llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
    llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218
    __netif_receive_skb_one_core net/core/dev.c:5523 [inline]
    __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
    netif_receive_skb_internal net/core/dev.c:5723 [inline]
    netif_receive_skb+0x58/0x660 net/core/dev.c:5782
    tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
    tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002

Add a mac_len test before all three eth_hdr(skb) calls under net/llc.

There are further uses in include/net/llc_pdu.h. All these are
protected by a test skb->protocol == ETH_P_802_2. Which does not
protect against this tun scenario.

But the mac_len test added in this patch in llc_fixup_skb will
indirectly protect those too. That is called from llc_rcv before any
other LLC code.

It is tempting to just add a blanket mac_len check in llc_rcv, but
not sure whether that could break valid LLC paths that do not assume
an Ethernet header. 802.2 LLC may be used on top of non-802.3
protocols in principle. The below referenced commit shows that used
to, on top of Token Ring.

At least one of the three eth_hdr uses goes back to before the start
of git history. But the one that syzbot exercises is introduced in
this commit. That commit is old enough (2008), that effectively all
stable kernels should receive this.

Fixes: f83f1768f833 ("[LLC]: skb allocation size for responses")
Reported-by: syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com
Signed-off-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20231025234251.3796495-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/llc/llc_input.c   | 10 ++++++++--
 net/llc/llc_s_ac.c    |  3 +++
 net/llc/llc_station.c |  3 +++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index d5c6fb41be92e..0e9926c39d1dd 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -127,8 +127,14 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
 	skb->transport_header += llc_len;
 	skb_pull(skb, llc_len);
 	if (skb->protocol == htons(ETH_P_802_2)) {
-		__be16 pdulen = eth_hdr(skb)->h_proto;
-		s32 data_size = ntohs(pdulen) - llc_len;
+		__be16 pdulen;
+		s32 data_size;
+
+		if (skb->mac_len < ETH_HLEN)
+			return 0;
+
+		pdulen = eth_hdr(skb)->h_proto;
+		data_size = ntohs(pdulen) - llc_len;
 
 		if (data_size < 0 ||
 		    !pskb_may_pull(skb, data_size))
diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c
index 9fa3342c7a829..df26557a02448 100644
--- a/net/llc/llc_s_ac.c
+++ b/net/llc/llc_s_ac.c
@@ -153,6 +153,9 @@ int llc_sap_action_send_test_r(struct llc_sap *sap, struct sk_buff *skb)
 	int rc = 1;
 	u32 data_size;
 
+	if (skb->mac_len < ETH_HLEN)
+		return 1;
+
 	llc_pdu_decode_sa(skb, mac_da);
 	llc_pdu_decode_da(skb, mac_sa);
 	llc_pdu_decode_ssap(skb, &dsap);
diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c
index c29170e767a8c..64e2c67e16ba3 100644
--- a/net/llc/llc_station.c
+++ b/net/llc/llc_station.c
@@ -77,6 +77,9 @@ static int llc_station_ac_send_test_r(struct sk_buff *skb)
 	u32 data_size;
 	struct sk_buff *nskb;
 
+	if (skb->mac_len < ETH_HLEN)
+		goto out;
+
 	/* The test request command is type U (llc_len = 3) */
 	data_size = ntohs(eth_hdr(skb)->h_proto) - 3;
 	nskb = llc_alloc_frame(NULL, skb->dev, LLC_PDU_TYPE_U, data_size);
-- 
2.42.0

next prev parent reply	other threads:[~2023-11-15 20:04 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-15 19:32 [PATCH 4.14 00/45] 4.14.330-rc1 review Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 01/45] i40e: fix potential memory leaks in i40e_remove() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 02/45] tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 03/45] tcp_metrics: do not create an entry from tcp_init_metrics() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 04/45] wifi: rtlwifi: fix EDCA limit set by BT coexistence Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 05/45] thermal: core: prevent potential string overflow Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 06/45] ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 07/45] ipv6: avoid atomic fragment on GSO packets Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 08/45] clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 09/45] clk: keystone: pll: fix a couple NULL vs IS_ERR() checks Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 10/45] clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 11/45] clk: mediatek: clk-mt2701: " Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 12/45] platform/x86: wmi: Fix probe failure when failing to register WMI devices Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 13/45] drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 14/45] drm/radeon: possible buffer overflow Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 15/45] drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 16/45] ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 17/45] firmware: ti_sci: Mark driver as non removable Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 18/45] hwrng: geode - fix accessing registers Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 19/45] ARM: 9321/1: memset: cast the constant byte to unsigned char Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 20/45] ext4: move ix sanity check to corrent position Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 21/45] RDMA/hfi1: Workaround truncation compilation error Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 22/45] sh: bios: Revive earlyprintk support Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 23/45] ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 24/45] mfd: dln2: Fix double put in dln2_probe Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 25/45] tty: tty_jobctrl: fix pid memleak in disassociate_ctty() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 26/45] usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 27/45] dmaengine: ti: edma: handle irq_of_parse_and_map() errors Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 28/45] misc: st_core: Do not call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 29/45] USB: usbip: fix stub_dev hub disconnect Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 30/45] dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 31/45] pcmcia: cs: fix possible hung task and memory leak pccardd() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 32/45] pcmcia: ds: fix refcount leak in pcmcia_device_add() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 33/45] pcmcia: ds: fix possible name leak in error path " Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 34/45] media: s3c-camif: Avoid inappropriate kfree() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 35/45] media: dvb-usb-v2: af9035: fix missing unlock Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 36/45] pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume Greg Kroah-Hartman
2023-11-15 19:33 ` Greg Kroah-Hartman [this message]
2023-11-15 19:33 ` [PATCH 4.14 38/45] tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 39/45] dccp: Call security_inet_conn_request() after setting IPv4 addresses Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 40/45] dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 41/45] tg3: power down device only on SYSTEM_POWER_OFF Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 42/45] netfilter: xt_recent: fix (increase) ipv6 literal buffer length Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 43/45] fbdev: fsl-diu-fb: mark wr_reg_wa() static Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 44/45] Revert "mmc: core: Capture correct oemid-bits for eMMC cards" Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 45/45] btrfs: use u64 for buffer sizes in the tree search ioctls Greg Kroah-Hartman
2023-11-16 11:29 ` [PATCH 4.14 00/45] 4.14.330-rc1 review Naresh Kamboju
2023-11-16 20:08 ` Harshit Mogalapalli
2023-11-17  4:10 ` Guenter Roeck
2023-11-17 17:00 ` Pavel Machek

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d5c6fb41be92 dfblob:0e9926c39d1d dfblob:9fa3342c7a82
dfblob:df26557a0244 dfblob:c29170e767a8 dfblob:64e2c67e16ba )
 OR (
bs:"[PATCH 4.14 37/45] llc: verify mac len before reading mac header" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231115191421.774444290@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=kuba@kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com \
    --cc=willemb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).