Netdev List
 help / color / mirror / Atom feed
* [PATCH net] mctp: serial: reject zero-length frames to prevent rx buffer overflow
@ 2026-07-14 13:03 Doruk Tan Ozturk
  2026-07-15  3:23 ` Jeremy Kerr
  0 siblings, 1 reply; 2+ messages in thread
From: Doruk Tan Ozturk @ 2026-07-14 13:03 UTC (permalink / raw)
  To: jk, matt, andrew+netdev, davem, edumazet, kuba, pabeni
  Cc: netdev, linux-kernel, stable

The MCTP serial receive state machine reads a frame length byte in
mctp_serial_push_header() case 2 and validates it upper-bound-only:

	if (c > MCTP_SERIAL_FRAME_MTU) {
		dev->rxstate = STATE_ERR;
	} else {
		dev->rxlen = c;
		dev->rxpos = 0;
		dev->rxstate = STATE_DATA;
		...
	}

A length of zero passes this check, so rxlen is set to 0 and the state
machine advances to STATE_DATA. In mctp_serial_push() STATE_DATA, the
incoming byte is stored and rxpos incremented before the terminator is
tested:

	dev->rxbuf[dev->rxpos] = c;
	dev->rxpos++;
	dev->rxstate = STATE_DATA;
	if (dev->rxpos == dev->rxlen) {
		dev->rxpos = 0;
		dev->rxstate = STATE_TRAILER;
	}

With rxlen == 0 the "rxpos == rxlen" terminator can never fire (rxpos is
already 1 on the first data byte), so subsequent bytes are written past
the end of the fixed 74-byte rxbuf, which is the last member of the
netdev private area. Every following data byte is an attacker-controlled
1-byte out-of-bounds heap write, and the overflow continues until a
frame (0x7e) or escape byte resets the parser -- effectively unbounded.

Reaching this requires CAP_NET_ADMIN to attach the N_MCTP line
discipline and bring the resulting mctpserialN netdev up, after which
the bytes arrive via the tty receive path.

Reject a zero-length frame in the header parser, matching the existing
upper-bound rejection.

KASAN, on a frame of 0x7e 0x01 0x00 followed by data bytes:

  UBSAN: array-index-out-of-bounds in drivers/net/mctp/mctp-serial.c:370
  index 74 is out of range for type 'u8 [74]'
  BUG: KASAN: slab-out-of-bounds in mctp_serial_tty_receive_buf
  Write of size 1 at addr ... by task kworker/u16:0
   mctp_serial_tty_receive_buf
   tty_ldisc_receive_buf
   flush_to_ldisc
  Allocated by task 152:
   alloc_netdev_mqs
   mctp_serial_open

Found by 0sec (https://0sec.ai).
Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding")
Cc: stable@vger.kernel.org
Assisted-by: 0sec
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
 drivers/net/mctp/mctp-serial.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c
index 26c9a33fd636..1e3d285c0500 100644
--- a/drivers/net/mctp/mctp-serial.c
+++ b/drivers/net/mctp/mctp-serial.c
@@ -313,7 +313,7 @@ static void mctp_serial_push_header(struct mctp_serial *dev, u8 c)
 		}
 		break;
 	case 2:
-		if (c > MCTP_SERIAL_FRAME_MTU) {
+		if (c == 0 || c > MCTP_SERIAL_FRAME_MTU) {
 			dev->rxstate = STATE_ERR;
 		} else {
 			dev->rxlen = c;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] mctp: serial: reject zero-length frames to prevent rx buffer overflow
  2026-07-14 13:03 [PATCH net] mctp: serial: reject zero-length frames to prevent rx buffer overflow Doruk Tan Ozturk
@ 2026-07-15  3:23 ` Jeremy Kerr
  0 siblings, 0 replies; 2+ messages in thread
From: Jeremy Kerr @ 2026-07-15  3:23 UTC (permalink / raw)
  To: Doruk Tan Ozturk, matt, andrew+netdev, davem, edumazet, kuba,
	pabeni
  Cc: netdev, linux-kernel, stable

Hi Doruk,

Thanks for the report. The analysis looks solid, but I do have a
recommendation for a different fix. One comment inline too.

> The MCTP serial receive state machine reads a frame length byte in
> mctp_serial_push_header() case 2 and validates it upper-bound-only:
> 
> 	if (c > MCTP_SERIAL_FRAME_MTU) {
> 		dev->rxstate = STATE_ERR;
> 	} else {
> 		dev->rxlen = c;
> 		dev->rxpos = 0;
> 		dev->rxstate = STATE_DATA;
> 		...
> 	}
> 
> A length of zero passes this check, so rxlen is set to 0 and the state
> machine advances to STATE_DATA. In mctp_serial_push() STATE_DATA, the
> incoming byte is stored and rxpos incremented before the terminator is
> tested:
> 
> 	dev->rxbuf[dev->rxpos] = c;
> 	dev->rxpos++;
> 	dev->rxstate = STATE_DATA;
> 	if (dev->rxpos == dev->rxlen) {
> 		dev->rxpos = 0;
> 		dev->rxstate = STATE_TRAILER;
> 	}
> 
> With rxlen == 0 the "rxpos == rxlen" terminator can never fire (rxpos is
> already 1 on the first data byte), so subsequent bytes are written past
> the end of the fixed 74-byte rxbuf, which is the last member of the
> netdev private area. Every following data byte is an attacker-controlled
> 1-byte out-of-bounds heap write, and the overflow continues until a
> frame (0x7e) or escape byte resets the parser -- effectively unbounded.
> 
> Reaching this requires CAP_NET_ADMIN to attach the N_MCTP line
> discipline and bring the resulting mctpserialN netdev up, after which
> the bytes arrive via the tty receive path.
> 
> Reject a zero-length frame in the header parser, matching the existing
> upper-bound rejection.
> 
> KASAN, on a frame of 0x7e 0x01 0x00 followed by data bytes:
> 
>   UBSAN: array-index-out-of-bounds in drivers/net/mctp/mctp-serial.c:370
>   index 74 is out of range for type 'u8 [74]'
>   BUG: KASAN: slab-out-of-bounds in mctp_serial_tty_receive_buf
>   Write of size 1 at addr ... by task kworker/u16:0
>    mctp_serial_tty_receive_buf
>    tty_ldisc_receive_buf
>    flush_to_ldisc
>   Allocated by task 152:
>    alloc_netdev_mqs
>    mctp_serial_open
> 
> Found by 0sec (https://0sec.ai).
> Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding")
> Cc: stable@vger.kernel.org
> Assisted-by: 0sec

I assume this needs to be in the Assisted-by format.

> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
> ---
>  drivers/net/mctp/mctp-serial.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

> diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c
> index 26c9a33fd636..1e3d285c0500 100644
> --- a/drivers/net/mctp/mctp-serial.c
> +++ b/drivers/net/mctp/mctp-serial.c
> @@ -313,7 +313,7 @@ static void mctp_serial_push_header(struct mctp_serial *dev, u8 c)
>  		}
>  		break;
>  	case 2:
> -		if (c > MCTP_SERIAL_FRAME_MTU) {
> +		if (c == 0 || c > MCTP_SERIAL_FRAME_MTU) {
>  			dev->rxstate = STATE_ERR;
>  		} else {
>  			dev->rxlen = c;

We probably want to advance directly to STATE_TRAILER instead, in order
to consume the trailer and framing bytes for cases when it's a
legitimate (although somewhat useless) zero-length frame.

Perhaps:

--- a/drivers/net/mctp/mctp-serial.c
+++ b/drivers/net/mctp/mctp-serial.c
@@ -318,7 +318,7 @@ static void mctp_serial_push_header(struct mctp_serial *dev, u8 c)
                } else {
                        dev->rxlen = c;
                        dev->rxpos = 0;
-                       dev->rxstate = STATE_DATA;
+                       dev->rxstate = c > 0 ? STATE_DATA : STATE_TRAILER;
                        dev->rxfcs = crc_ccitt_byte(dev->rxfcs, c);
                }
                break;

We'll still land in STATE_ERROR on incorrect framing, but just during
trailer parse instead.

We could then add an early error path rather than creating a zero-length
skb (which then gets rejected by the MCTP core), but that would be best
done separately.

Cheers,


Jeremy

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-15  3:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-14 13:03 [PATCH net] mctp: serial: reject zero-length frames to prevent rx buffer overflow Doruk Tan Ozturk
2026-07-15  3:23 ` Jeremy Kerr

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox