[thirdparty/kernel/stable-queue.git] / releases / 4.18.11 / pppoe-fix-reception-of-frames-with-no-mac-header.patch

From foo@baz Wed Sep 26 11:27:32 CEST 2018
From: Guillaume Nault <g.nault@alphalink.fr>
Date: Fri, 14 Sep 2018 16:28:05 +0200
Subject: pppoe: fix reception of frames with no mac header

From: Guillaume Nault <g.nault@alphalink.fr>

[ Upstream commit 8540827ebac6b654ab2f69c8fbce9e4fbd6304a0 ]

pppoe_rcv() needs to look back at the Ethernet header in order to
lookup the PPPoE session. Therefore we need to ensure that the mac
header is big enough to contain an Ethernet header. Otherwise
eth_hdr(skb)->h_source might access invalid data.

==================================================================
BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline]
BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline]
BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
 __get_item drivers/net/ppp/pppoe.c:172 [inline]
 get_item drivers/net/ppp/pppoe.c:236 [inline]
 pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
 __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562
 __netif_receive_skb net/core/dev.c:4627 [inline]
 netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
 netif_receive_skb+0x230/0x240 net/core/dev.c:4725
 tun_rx_batched drivers/net/tun.c:1555 [inline]
 tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962
 tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
 call_write_iter include/linux/fs.h:1782 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
 vfs_write+0x463/0x8d0 fs/read_write.c:544
 SYSC_write+0x172/0x360 fs/read_write.c:589
 SyS_write+0x55/0x80 fs/read_write.c:581
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4447c9
RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9
RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004
RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda
R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0
R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc_node mm/slub.c:2737 [inline]
 __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:984 [inline]
 alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
 sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
 tun_alloc_skb drivers/net/tun.c:1532 [inline]
 tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829
 tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
 call_write_iter include/linux/fs.h:1782 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
 vfs_write+0x463/0x8d0 fs/read_write.c:544
 SYSC_write+0x172/0x360 fs/read_write.c:589
 SyS_write+0x55/0x80 fs/read_write.c:581
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
==================================================================

Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers")
Reported-by: syzbot+f5f6080811c849739212@syzkaller.appspotmail.com
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ppp/pppoe.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -429,6 +429,9 @@ static int pppoe_rcv(struct sk_buff *skb
 	if (!skb)
 		goto out;
 
+	if (skb_mac_header_len(skb) < ETH_HLEN)
+		goto drop;
+
 	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
 		goto drop;
Commit	Line	Data
a81a45e9 GKH	1	From foo@baz Wed Sep 26 11:27:32 CEST 2018
	2	From: Guillaume Nault <g.nault@alphalink.fr>
	3	Date: Fri, 14 Sep 2018 16:28:05 +0200
	4	Subject: pppoe: fix reception of frames with no mac header
	5
	6	From: Guillaume Nault <g.nault@alphalink.fr>
	7
	8	[ Upstream commit 8540827ebac6b654ab2f69c8fbce9e4fbd6304a0 ]
	9
	10	pppoe_rcv() needs to look back at the Ethernet header in order to
	11	lookup the PPPoE session. Therefore we need to ensure that the mac
	12	header is big enough to contain an Ethernet header. Otherwise
	13	eth_hdr(skb)->h_source might access invalid data.
	14
	15	==================================================================
	16	BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline]
	17	BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline]
	18	BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
	19	CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87
	20	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
	21	01/01/2011
	22	Call Trace:
	23	__dump_stack lib/dump_stack.c:17 [inline]
	24	dump_stack+0x185/0x1d0 lib/dump_stack.c:53
	25	kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
	26	__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
	27	__get_item drivers/net/ppp/pppoe.c:172 [inline]
	28	get_item drivers/net/ppp/pppoe.c:236 [inline]
	29	pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
	30	__netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562
	31	__netif_receive_skb net/core/dev.c:4627 [inline]
	32	netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
	33	netif_receive_skb+0x230/0x240 net/core/dev.c:4725
	34	tun_rx_batched drivers/net/tun.c:1555 [inline]
	35	tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962
	36	tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
	37	call_write_iter include/linux/fs.h:1782 [inline]
	38	new_sync_write fs/read_write.c:469 [inline]
	39	__vfs_write+0x7fb/0x9f0 fs/read_write.c:482
	40	vfs_write+0x463/0x8d0 fs/read_write.c:544
	41	SYSC_write+0x172/0x360 fs/read_write.c:589
	42	SyS_write+0x55/0x80 fs/read_write.c:581
	43	do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
	44	entry_SYSCALL_64_after_hwframe+0x3d/0xa2
	45	RIP: 0033:0x4447c9
	46	RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
	47	RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9
	48	RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004
	49	RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda
	50	R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0
	51	R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000
	52
	53	Uninit was created at:
	54	kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
	55	kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
	56	kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
	57	kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
	58	slab_post_alloc_hook mm/slab.h:445 [inline]
	59	slab_alloc_node mm/slub.c:2737 [inline]
	60	__kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
	61	__kmalloc_reserve net/core/skbuff.c:138 [inline]
	62	__alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
	63	alloc_skb include/linux/skbuff.h:984 [inline]
	64	alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
65	sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
66	tun_alloc_skb drivers/net/tun.c:1532 [inline]
67	tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829
68	tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
69	call_write_iter include/linux/fs.h:1782 [inline]
70	new_sync_write fs/read_write.c:469 [inline]
71	__vfs_write+0x7fb/0x9f0 fs/read_write.c:482
72	vfs_write+0x463/0x8d0 fs/read_write.c:544
73	SYSC_write+0x172/0x360 fs/read_write.c:589
74	SyS_write+0x55/0x80 fs/read_write.c:581
75	do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
76	entry_SYSCALL_64_after_hwframe+0x3d/0xa2
77	==================================================================
78
79	Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers")
80	Reported-by: syzbot+f5f6080811c849739212@syzkaller.appspotmail.com
81	Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
82	Signed-off-by: David S. Miller <davem@davemloft.net>
83	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
84	---
85	drivers/net/ppp/pppoe.c \| 3 +++
86	1 file changed, 3 insertions(+)
87
88	--- a/drivers/net/ppp/pppoe.c
89	+++ b/drivers/net/ppp/pppoe.c
90	@@ -429,6 +429,9 @@ static int pppoe_rcv(struct sk_buff *skb
91	if (!skb)
92	goto out;
93
94	+ if (skb_mac_header_len(skb) < ETH_HLEN)
95	+ goto drop;
96	+
97	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
98	goto drop;
99