From: Jeremy Kerr <jk@codeconstruct.com.au>
To: Doruk Tan Ozturk <doruk@0sec.ai>,
matt@codeconstruct.com.au, andrew+netdev@lunn.ch,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH net] mctp: serial: reject zero-length frames to prevent rx buffer overflow
Date: Wed, 15 Jul 2026 11:23:53 +0800 [thread overview]
Message-ID: <1a69cae2f078e24726bfdef5ee2e6575759c8dda.camel@codeconstruct.com.au> (raw)
In-Reply-To: <20260714130348.72716-1-doruk@0sec.ai>
Hi Doruk,
Thanks for the report. The analysis looks solid, but I do have a
recommendation for a different fix. One comment inline too.
> The MCTP serial receive state machine reads a frame length byte in
> mctp_serial_push_header() case 2 and validates it upper-bound-only:
>
> if (c > MCTP_SERIAL_FRAME_MTU) {
> dev->rxstate = STATE_ERR;
> } else {
> dev->rxlen = c;
> dev->rxpos = 0;
> dev->rxstate = STATE_DATA;
> ...
> }
>
> A length of zero passes this check, so rxlen is set to 0 and the state
> machine advances to STATE_DATA. In mctp_serial_push() STATE_DATA, the
> incoming byte is stored and rxpos incremented before the terminator is
> tested:
>
> dev->rxbuf[dev->rxpos] = c;
> dev->rxpos++;
> dev->rxstate = STATE_DATA;
> if (dev->rxpos == dev->rxlen) {
> dev->rxpos = 0;
> dev->rxstate = STATE_TRAILER;
> }
>
> With rxlen == 0 the "rxpos == rxlen" terminator can never fire (rxpos is
> already 1 on the first data byte), so subsequent bytes are written past
> the end of the fixed 74-byte rxbuf, which is the last member of the
> netdev private area. Every following data byte is an attacker-controlled
> 1-byte out-of-bounds heap write, and the overflow continues until a
> frame (0x7e) or escape byte resets the parser -- effectively unbounded.
>
> Reaching this requires CAP_NET_ADMIN to attach the N_MCTP line
> discipline and bring the resulting mctpserialN netdev up, after which
> the bytes arrive via the tty receive path.
>
> Reject a zero-length frame in the header parser, matching the existing
> upper-bound rejection.
>
> KASAN, on a frame of 0x7e 0x01 0x00 followed by data bytes:
>
> UBSAN: array-index-out-of-bounds in drivers/net/mctp/mctp-serial.c:370
> index 74 is out of range for type 'u8 [74]'
> BUG: KASAN: slab-out-of-bounds in mctp_serial_tty_receive_buf
> Write of size 1 at addr ... by task kworker/u16:0
> mctp_serial_tty_receive_buf
> tty_ldisc_receive_buf
> flush_to_ldisc
> Allocated by task 152:
> alloc_netdev_mqs
> mctp_serial_open
>
> Found by 0sec (https://0sec.ai).
> Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding")
> Cc: stable@vger.kernel.org
> Assisted-by: 0sec
I assume this needs to be in the Assisted-by format.
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
> ---
> drivers/net/mctp/mctp-serial.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c
> index 26c9a33fd636..1e3d285c0500 100644
> --- a/drivers/net/mctp/mctp-serial.c
> +++ b/drivers/net/mctp/mctp-serial.c
> @@ -313,7 +313,7 @@ static void mctp_serial_push_header(struct mctp_serial *dev, u8 c)
> }
> break;
> case 2:
> - if (c > MCTP_SERIAL_FRAME_MTU) {
> + if (c == 0 || c > MCTP_SERIAL_FRAME_MTU) {
> dev->rxstate = STATE_ERR;
> } else {
> dev->rxlen = c;
We probably want to advance directly to STATE_TRAILER instead, in order
to consume the trailer and framing bytes for cases when it's a
legitimate (although somewhat useless) zero-length frame.
Perhaps:
--- a/drivers/net/mctp/mctp-serial.c
+++ b/drivers/net/mctp/mctp-serial.c
@@ -318,7 +318,7 @@ static void mctp_serial_push_header(struct mctp_serial *dev, u8 c)
} else {
dev->rxlen = c;
dev->rxpos = 0;
- dev->rxstate = STATE_DATA;
+ dev->rxstate = c > 0 ? STATE_DATA : STATE_TRAILER;
dev->rxfcs = crc_ccitt_byte(dev->rxfcs, c);
}
break;
We'll still land in STATE_ERROR on incorrect framing, but just during
trailer parse instead.
We could then add an early error path rather than creating a zero-length
skb (which then gets rejected by the MCTP core), but that would be best
done separately.
Cheers,
Jeremy
prev parent reply other threads:[~2026-07-15 3:23 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 13:03 [PATCH net] mctp: serial: reject zero-length frames to prevent rx buffer overflow Doruk Tan Ozturk
2026-07-15 3:23 ` Jeremy Kerr [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1a69cae2f078e24726bfdef5ee2e6575759c8dda.camel@codeconstruct.com.au \
--to=jk@codeconstruct.com.au \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=doruk@0sec.ai \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matt@codeconstruct.com.au \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox