From: Simon Horman <horms@kernel.org>
To: Weiming Shi <bestswngs@gmail.com>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Hans Verkuil <hverkuil+cisco@kernel.org>,
Alex Deucher <alexander.deucher@amd.com>,
Ian Rogers <irogers@google.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Kees Cook <kees@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Alan Cox <alan@linux.intel.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH net] slip: fix slab-out-of-bounds write in slhc_uncompress()
Date: Sun, 19 Apr 2026 15:57:00 +0100 [thread overview]
Message-ID: <20260419145700.GN280379@horms.kernel.org> (raw)
In-Reply-To: <20260419143233.GK280379@horms.kernel.org>
On Sun, Apr 19, 2026 at 03:32:33PM +0100, Simon Horman wrote:
> On Sun, Apr 19, 2026 at 03:27:26PM +0100, Simon Horman wrote:
> > On Thu, Apr 16, 2026 at 05:34:00AM +0800, Weiming Shi wrote:
> > > sl_bump() reserves only 80 bytes of expansion headroom before calling
> > > slhc_uncompress(), but the reconstructed IP + TCP header is up to
> > > ip->ihl*4 + thp->doff*4 bytes. IHL and TCP doff are 4-bit fields and
> > > both can legitimately reach 15, so the header can grow to 2*15*4 =
> > > 120 bytes. A VJ-uncompressed primer with ihl=15, doff=15 followed by
> > > a compressed frame of size buffsize - 80 therefore writes up to
> > > 33 bytes past the kmalloc(buffsize + 4) rbuff allocation, with
> > > attacker-controlled content:
> > >
> > > BUG: KASAN: slab-out-of-bounds in slhc_uncompress
> > > Write of size 1069 at addr ffff88800ba93078 by task kworker/u8:1/32
> > > Workqueue: events_unbound flush_to_ldisc
> > > Call Trace:
> > > __asan_memmove+0x3f/0x70
> > > slhc_uncompress (drivers/net/slip/slhc.c:614)
> > > slip_receive_buf (drivers/net/slip/slip.c:342)
> > > tty_ldisc_receive_buf
> > > flush_to_ldisc
> > >
> > > Raise the reservation to match the real worst case. The ppp_generic
> > > receive path already enforces skb_tailroom >= 124 and is unaffected.
> > >
> > > Fixes: b5451d783ade ("slip: Move the SLIP drivers")
AI review flags that this patch moved the code, rather than
adding the bug. It suggests the bug has been present since the
beginning of git history, so:
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > > Reported-by: Simon Horman <horms@kernel.org>
> >
> > FTR, I was mainly passing on information flagged by Sashiko.
> >
> > > Signed-off-by: Weiming Shi <bestswngs@gmail.com>
> >
> > Reviewed-by: Simon Horman <horms@kernel.org>
>
> I'm very sorry but the text below below was for a different,
> albeit related, patch:
>
> - [PATCH net] slip: bound decode() reads against the compressed packet length
> https://lore.kernel.org/netdev/20260416100147.531855-5-bestswngs@gmail.com/
>
> The corresponding text relating to this patch was posted as:
>
> https://lore.kernel.org/netdev/20260419142710.GI280379@horms.kernel.org/
>
> Sorry for the mix up!
Actually, that's not right either.
I will try one more time:
TL;DR: I don't think that review should block progress of this patch.
1. The issue wrt concurrent MTU changes appears to be a separate,
pre-existing problem. Maybe you've looked into it already,
if not, you may wish to.
2. The bounds checking problems are addressed by other patches in flight.
- [PATCH net v2] slip: reject VJ receive packets on instances with no rstate array
https://lore.kernel.org/netdev/20260415204130.258866-2-bestswngs@gmail.com/
- [PATCH net] slip: bound decode() reads against the compressed packet length
https://lore.kernel.org/netdev/20260416100147.531855-5-bestswngs@gmail.com/
In future you might want to consider creating patch sets for related
patches. But I think it's too late in the case of these patches.
prev parent reply other threads:[~2026-04-19 14:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 21:34 [PATCH net] slip: fix slab-out-of-bounds write in slhc_uncompress() Weiming Shi
2026-04-19 14:27 ` Simon Horman
2026-04-19 14:56 ` Simon Horman
2026-04-19 14:27 ` Simon Horman
2026-04-19 14:32 ` Simon Horman
2026-04-19 14:57 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260419145700.GN280379@horms.kernel.org \
--to=horms@kernel.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=alan@linux.intel.com \
--cc=alexander.deucher@amd.com \
--cc=andrew+netdev@lunn.ch \
--cc=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hverkuil+cisco@kernel.org \
--cc=irogers@google.com \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox