From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 87CA63CB2C1 for ; Wed, 15 Apr 2026 07:59:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776239969; cv=none; b=qTHEAGEBHR/tLoMc4RSzmWBLrG08dKztsyY1w1XS0s0NXYl/Rc+Avc5slDwz9NyXJ9prQtyF8/Fuu6HhjElkDVLlaHABvGvyViBJBt10imEOf1nAX7czQdws+G1/INYqpeHIfI/L/LtoRwWNvBkBdBIcb/NJH2uRz4AQCkqB+nE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776239969; c=relaxed/simple; bh=v4txLFrjF8x+4vhEHg9wpHXC7HaZVp8pc1Zv6dPSMoQ=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=AduhSLRH4Kqej/O9F9IuAfORlCiUHYS+0uRyqlLhysLPZFE6dwFovBYgKl1ZdsZl01Fuw+paY0nbBE2bP4fLC7b0SmdetsNiZxvZCLcGgUdg21tOCHvCNbGDIp2AUe05PbksolKqazrr2cuD/OyBToaFdo3tckEwiTj43pv++Sc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iNAaI6x2; arc=none smtp.client-ip=209.85.221.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iNAaI6x2" Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-43cfac48bc7so4464515f8f.0 for ; Wed, 15 Apr 2026 00:59:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776239964; x=1776844764; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=fnGUNqAPhun2LmWwo++iWXcTG1XwZ7/9oz20GAfV1pE=; b=iNAaI6x2O2Q2sQ6cBd+EgthxSPzePJ4VMMIbt//6SVP06nN7PFtF0nLkXyEEM4tS8M wwcfAP/y0OZXX5TAnrqJmKRy5wkQGI7JLSHkz/8G5+HaH8bBIRfDmzMYO7ly9TnxUULP UTMVQ2kjylYfcyHkGBXk9fpIZEQkZhvHNw4jh7l/4sl6+37RsYDM7YkSGm6aWfqnxy0l YCTge2axoOKL3yeqTfGfAGg2ZNNeE1cRZmAxMjiwyVZ232xhM1+m1VmfX/1LpEFxiube oP3KMWTLuia2iEPzZk5+k9Oyij35EGQuNXuoIlAtkRRyg4Sm36r7XTMgZAq16DCwFi8H RcYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776239964; x=1776844764; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=fnGUNqAPhun2LmWwo++iWXcTG1XwZ7/9oz20GAfV1pE=; b=ZsREKA4m9tVBTBvD52184xUT04jkMJdelAm8NFaCT2jPgsaDd1j8ZWoSfDFmllHgRv XnHiRbUt4p+pQSp8wzHw/1wyWhCouz13KKxAkMnZUROt/gUurg/oLtnngtW2n2o8rG6k ilQiiUSSqnEJhEf/hlquCbkH+eBVppM9985XH6bR5dCzozIM2syNiFrp5XD7DxD0namW EIF/6QDCQ3AooKegxu/erALNHuxrNnmFqIea4kMYcnWpDYSlKDDWts6AB5hqBKushDni fAz81zAt5Tp4PYEeTe3UB55UkAQqIfBnd0iyr3m0XwPR4U0llBaS4z7dOPb3GJexTJrO ku/Q== X-Forwarded-Encrypted: i=1; AFNElJ87/+2GMcbhLbq8i/DZthtL4unfn5b+MZOWdpp5bXqjwuoiBswcrME0BuValYKi7um7hsSNPP/2jOLeV/I=@vger.kernel.org X-Gm-Message-State: AOJu0Yx5nV+my5AjKwsFH5vmc6z/I/5Q2buZxIlViW7WT3Q73xauYcuO HRa6ass5W/KAbmCfN0MHHGJgbOlIH4sdlemgkVX1fdzCmGiLPr3aFENf X-Gm-Gg: AeBDietvF65k88knzEFt+PJ31/6+LeQcpo6WrSZpf/TiQ8o6fLQc8C42VJYHVv3HmL5 AqI9o1jUjvMKRyM1NG/O5VNg1t9I7S0I0AaFiwQaucVvKRDYHBCxH18Cm9CNJ4Hhws+Cxty+pUM OkvRfeW+I7smW9MWgOnfIYa7wjN4pD6wXANeHWDEpyunJekYNnZ14GEI6Tko+c77nX+hlltWA9y jNFC37KOBOHEmTuS/ego8WGDTAa02H64b54ATesfdk5bAhSlt90tSKqFfrnaJOgPjaojKZiJy6E dpgb7FB8S+Sv06g1rGvIGRzoEwPDbSJHIJBQIRPJyikm6yJ0Z0xSPglJMvuuGA5lHSItvNEjAse UD9xKaEFOUhuum/OTIqpGbPFKcCgIxVZgprKtRpyKhyk49VUK/mSpB+DmaJvO7XCTmCzmfXSenB D0pi+vXsxk42x88QHmRVmuBWl1RuNHKNrVoKDhhniLFuzhtooL/RGa5Vw/ObgDt901 X-Received: by 2002:a05:6000:22c6:b0:43d:7e11:1b72 with SMTP id ffacd0b85a97d-43d7e111c1emr12453323f8f.9.1776239963143; Wed, 15 Apr 2026 00:59:23 -0700 (PDT) Received: from pumpkin (82-69-66-36.dsl.in-addr.zen.co.uk. [82.69.66.36]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43ead3ebaf1sm2843108f8f.33.2026.04.15.00.59.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 00:59:22 -0700 (PDT) Date: Wed, 15 Apr 2026 08:59:21 +0100 From: David Laight To: Ashutosh Desai Cc: netdev@vger.kernel.org, linux-hams@vger.kernel.org, jreuter@yaina.de, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3 net] ax25: fix OOB read after address header strip in ax25_rcv() Message-ID: <20260415085921.757b48a0@pumpkin> In-Reply-To: <20260415063654.3831353-1-ashutoshdesai993@gmail.com> References: <20260415063654.3831353-1-ashutoshdesai993@gmail.com> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; arm-unknown-linux-gnueabihf) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 15 Apr 2026 06:36:54 +0000 Ashutosh Desai wrote: > A remote station can send a crafted KISS frame that is just long enough > to pass ax25_addr_parse() (minimum 14 address bytes) but carries no > control or PID bytes. After ax25_kiss_rcv() strips the KISS framing > byte and ax25_rcv() strips the address header with skb_pull(), skb->len > drops to zero. The subsequent reads of skb->data[0] (control byte) and > skb->data[1] (PID byte) are then out of bounds, which can crash the > kernel or leak heap memory to a remote attacker. > > Use pskb_may_pull(skb, 2) after the skb_pull() to ensure both bytes > are in the linear area before reading them. Discard malformed frames > that carry no control/PID pair. Is it just worth linearising the skb on entry to all this code? I believe all the frames are relatively short and low frequency. So the actual overhead is insignificant, but it makes all the sanity checks trivial. It is even likely (hand waving) that the extra copy for non-linear data is faster than all the checks for non-linear data. David