From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Shigeru Yoshida <syoshida@redhat.com>,
Simon Horman <horms@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 38/97] tty: Fix uninit-value access in ppp_sync_receive()
Date: Fri, 24 Nov 2023 17:50:11 +0000 [thread overview]
Message-ID: <20231124171935.579365454@linuxfoundation.org> (raw)
In-Reply-To: <20231124171934.122298957@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit 719639853d88071dfdfd8d9971eca9c283ff314c ]
KMSAN reported the following uninit-value access issue:
=====================================================
BUG: KMSAN: uninit-value in ppp_sync_input drivers/net/ppp/ppp_synctty.c:690 [inline]
BUG: KMSAN: uninit-value in ppp_sync_receive+0xdc9/0xe70 drivers/net/ppp/ppp_synctty.c:334
ppp_sync_input drivers/net/ppp/ppp_synctty.c:690 [inline]
ppp_sync_receive+0xdc9/0xe70 drivers/net/ppp/ppp_synctty.c:334
tiocsti+0x328/0x450 drivers/tty/tty_io.c:2295
tty_ioctl+0x808/0x1920 drivers/tty/tty_io.c:2694
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0x211/0x400 fs/ioctl.c:857
__x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x75d/0xe80 mm/page_alloc.c:4591
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
__page_frag_cache_refill+0x9a/0x2c0 mm/page_alloc.c:4691
page_frag_alloc_align+0x91/0x5d0 mm/page_alloc.c:4722
page_frag_alloc include/linux/gfp.h:322 [inline]
__netdev_alloc_skb+0x215/0x6d0 net/core/skbuff.c:728
netdev_alloc_skb include/linux/skbuff.h:3225 [inline]
dev_alloc_skb include/linux/skbuff.h:3238 [inline]
ppp_sync_input drivers/net/ppp/ppp_synctty.c:669 [inline]
ppp_sync_receive+0x237/0xe70 drivers/net/ppp/ppp_synctty.c:334
tiocsti+0x328/0x450 drivers/tty/tty_io.c:2295
tty_ioctl+0x808/0x1920 drivers/tty/tty_io.c:2694
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0x211/0x400 fs/ioctl.c:857
__x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 0 PID: 12950 Comm: syz-executor.1 Not tainted 6.6.0-14500-g1c41041124bd #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
=====================================================
ppp_sync_input() checks the first 2 bytes of the data are PPP_ALLSTATIONS
and PPP_UI. However, if the data length is 1 and the first byte is
PPP_ALLSTATIONS, an access to an uninitialized value occurs when checking
PPP_UI. This patch resolves this issue by checking the data length.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_synctty.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 047f6c68a4419..e0de8b32df46a 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -702,7 +702,7 @@ ppp_sync_input(struct syncppp *ap, const unsigned char *buf,
/* strip address/control field if present */
p = skb->data;
- if (p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) {
+ if (skb->len >= 2 && p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) {
/* chop off address/control */
if (skb->len < 3)
goto err;
--
2.42.0
next prev parent reply other threads:[~2023-11-24 17:58 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-24 17:49 [PATCH 4.19 00/97] 4.19.300-rc1 review Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 01/97] locking/ww_mutex/test: Fix potential workqueue corruption Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 02/97] perf/core: Bail out early if the request AUX area is out of bound Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 03/97] clocksource/drivers/timer-imx-gpt: Fix potential memory leak Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 04/97] clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 05/97] x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 06/97] wifi: mac80211: dont return unset power in ieee80211_get_tx_power() Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 07/97] wifi: ath9k: fix clang-specific fortify warnings Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 08/97] wifi: ath10k: fix clang-specific fortify warning Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 09/97] net: annotate data-races around sk->sk_tx_queue_mapping Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 10/97] net: annotate data-races around sk->sk_dst_pending_confirm Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 11/97] Bluetooth: Fix double free in hci_conn_cleanup Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 12/97] platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 13/97] drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 14/97] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 15/97] drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 16/97] selftests/efivarfs: create-read: fix a resource leak Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 17/97] crypto: pcrypt - Fix hungtask for PADATA_RESET Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 18/97] RDMA/hfi1: Use FIELD_GET() to extract Link Width Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 19/97] fs/jfs: Add check for negative db_l2nbperpage Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 20/97] fs/jfs: Add validity check for db_maxag and db_agpref Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 21/97] jfs: fix array-index-out-of-bounds in dbFindLeaf Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 22/97] jfs: fix array-index-out-of-bounds in diAlloc Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 23/97] ARM: 9320/1: fix stack depot IRQ stack filter Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 24/97] ALSA: hda: Fix possible null-ptr-deref when assigning a stream Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 25/97] atm: iphase: Do PCI error checks on own line Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 26/97] scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 27/97] HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 28/97] tty: vcc: Add check for kstrdup() in vcc_probe() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 29/97] usb: gadget: f_ncm: Always set current gadget in ncm_bind() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 30/97] i2c: sun6i-p2wi: Prevent potential division by zero Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 31/97] media: gspca: cpia1: shift-out-of-bounds in set_flicker Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 32/97] media: vivid: avoid integer overflow Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 33/97] gfs2: ignore negated quota changes Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 34/97] drm/amd/display: Avoid NULL dereference of timing generator Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 35/97] pwm: Fix double shift bug Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 36/97] NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 37/97] ipvlan: add ipvlan_route_v6_outbound() helper Greg Kroah-Hartman
2023-11-24 17:50 ` Greg Kroah-Hartman [this message]
2023-11-24 17:50 ` [PATCH 4.19 39/97] tipc: Fix kernel-infoleak due to uninitialized TLV value Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 40/97] ppp: limit MRU to 64K Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 41/97] xen/events: fix delayed eoi list handling Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 42/97] ptp: annotate data-race around q->head and q->tail Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 43/97] net: ethernet: cortina: Fix max RX frame define Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 44/97] net: ethernet: cortina: Handle large frames Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 45/97] net: ethernet: cortina: Fix MTU max setting Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 46/97] macvlan: Dont propagate promisc change to lower dev in passthru Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 47/97] cifs: spnego: add ; in HOST_KEY_LEN Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 48/97] media: venus: hfi: add checks to perform sanity on queue pointers Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 49/97] randstruct: Fix gcc-plugin performance mode to stay in group Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 50/97] KVM: x86: Ignore MSR_AMD64_TW_CFG access Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 51/97] audit: dont take task_lock() in audit_exe_compare() code path Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 52/97] audit: dont WARN_ON_ONCE(!current->mm) in audit_exe_compare() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 53/97] hvc/xen: fix error path in xen_hvc_init() to always register frontend driver Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 54/97] PCI/sysfs: Protect drivers D3cold preference from user space Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 55/97] mmc: meson-gx: Remove setting of CMD_CFG_ERROR Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 56/97] genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 57/97] PCI: keystone: Dont discard .remove() callback Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 58/97] PCI: keystone: Dont discard .probe() callback Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 59/97] parisc/pdc: Add width field to struct pdc_model Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 60/97] parisc/power: Add power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 61/97] clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 62/97] mmc: vub300: fix an error code Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 63/97] PM: hibernate: Use __get_safe_page() rather than touching the list Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 64/97] PM: hibernate: Clean up sync_read handling in snapshot_write_next() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 65/97] jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 66/97] quota: explicitly forbid quota files from being encrypted Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 67/97] mcb: fix error handling for different scenarios when parsing Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 68/97] dmaengine: stm32-mdma: correct desc prep when channel running Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 69/97] s390/cmma: fix initial kernel address space page table walk Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 70/97] s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 71/97] parisc: Prevent booting 64-bit kernels on PA1.x machines Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 72/97] parisc/pgtable: Do not drop upper 5 address bits of physical address Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 73/97] parisc/power: Fix power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 74/97] ALSA: info: Fix potential deadlock at disconnection Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 75/97] ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 76/97] tty: serial: meson: if no alias specified use an available id Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 77/97] tty/serial: Migrate meson_uart to use has_sysrq Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 78/97] serial: meson: remove redundant initialization of variable id Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 79/97] tty: serial: meson: retrieve port FIFO size from DT Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 80/97] serial: meson: Use platform_get_irq() to get the interrupt Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 81/97] tty: serial: meson: fix hard LOCKUP on crtscts mode Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 82/97] net: dsa: lan9303: consequently nested-lock physical MDIO Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 83/97] i2c: i801: fix potential race in i801_block_transaction_byte_by_byte Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 84/97] media: lirc: drop trailing space from scancode transmit Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 85/97] media: sharp: fix sharp encoding Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 86/97] media: venus: hfi_parser: Add check to keep the number of codecs within range Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 87/97] media: venus: hfi: fix the check to handle session buffer requirement Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 88/97] media: venus: hfi: add checks to handle capabilities from firmware Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 89/97] Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E" Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 90/97] ext4: apply umask if ACL support is disabled Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 91/97] ext4: correct offset of gdb backup in non meta_bg group to update_backups Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 92/97] ext4: correct return value of ext4_convert_meta_bg Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 93/97] ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 94/97] drm/amdgpu: fix error handling in amdgpu_bo_list_get() Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 95/97] scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 96/97] iomap: Set all uptodate bits for an Uptodate page Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 97/97] net: sched: fix race condition in qdisc_graft() Greg Kroah-Hartman
2023-11-24 19:13 ` [PATCH 4.19 00/97] 4.19.300-rc1 review Daniel Díaz
2023-11-25 11:20 ` Pavel Machek
2023-11-25 15:26 ` Greg Kroah-Hartman
2023-11-25 16:44 ` Pavel Machek
2023-11-25 15:43 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231124171935.579365454@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=horms@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syoshida@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox