]>
Commit | Line | Data |
---|---|---|
a81a45e9 GKH |
1 | From foo@baz Wed Sep 26 11:27:32 CEST 2018 |
2 | From: Guillaume Nault <g.nault@alphalink.fr> | |
3 | Date: Fri, 14 Sep 2018 16:28:05 +0200 | |
4 | Subject: pppoe: fix reception of frames with no mac header | |
5 | ||
6 | From: Guillaume Nault <g.nault@alphalink.fr> | |
7 | ||
8 | [ Upstream commit 8540827ebac6b654ab2f69c8fbce9e4fbd6304a0 ] | |
9 | ||
10 | pppoe_rcv() needs to look back at the Ethernet header in order to | |
11 | lookup the PPPoE session. Therefore we need to ensure that the mac | |
12 | header is big enough to contain an Ethernet header. Otherwise | |
13 | eth_hdr(skb)->h_source might access invalid data. | |
14 | ||
15 | ================================================================== | |
16 | BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline] | |
17 | BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline] | |
18 | BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450 | |
19 | CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87 | |
20 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google | |
21 | 01/01/2011 | |
22 | Call Trace: | |
23 | __dump_stack lib/dump_stack.c:17 [inline] | |
24 | dump_stack+0x185/0x1d0 lib/dump_stack.c:53 | |
25 | kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 | |
26 | __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 | |
27 | __get_item drivers/net/ppp/pppoe.c:172 [inline] | |
28 | get_item drivers/net/ppp/pppoe.c:236 [inline] | |
29 | pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450 | |
30 | __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562 | |
31 | __netif_receive_skb net/core/dev.c:4627 [inline] | |
32 | netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701 | |
33 | netif_receive_skb+0x230/0x240 net/core/dev.c:4725 | |
34 | tun_rx_batched drivers/net/tun.c:1555 [inline] | |
35 | tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962 | |
36 | tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990 | |
37 | call_write_iter include/linux/fs.h:1782 [inline] | |
38 | new_sync_write fs/read_write.c:469 [inline] | |
39 | __vfs_write+0x7fb/0x9f0 fs/read_write.c:482 | |
40 | vfs_write+0x463/0x8d0 fs/read_write.c:544 | |
41 | SYSC_write+0x172/0x360 fs/read_write.c:589 | |
42 | SyS_write+0x55/0x80 fs/read_write.c:581 | |
43 | do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 | |
44 | entry_SYSCALL_64_after_hwframe+0x3d/0xa2 | |
45 | RIP: 0033:0x4447c9 | |
46 | RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001 | |
47 | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9 | |
48 | RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004 | |
49 | RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda | |
50 | R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0 | |
51 | R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000 | |
52 | ||
53 | Uninit was created at: | |
54 | kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] | |
55 | kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 | |
56 | kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 | |
57 | kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 | |
58 | slab_post_alloc_hook mm/slab.h:445 [inline] | |
59 | slab_alloc_node mm/slub.c:2737 [inline] | |
60 | __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 | |
61 | __kmalloc_reserve net/core/skbuff.c:138 [inline] | |
62 | __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 | |
63 | alloc_skb include/linux/skbuff.h:984 [inline] | |
64 | alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234 | |
65 | sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085 | |
66 | tun_alloc_skb drivers/net/tun.c:1532 [inline] | |
67 | tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829 | |
68 | tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990 | |
69 | call_write_iter include/linux/fs.h:1782 [inline] | |
70 | new_sync_write fs/read_write.c:469 [inline] | |
71 | __vfs_write+0x7fb/0x9f0 fs/read_write.c:482 | |
72 | vfs_write+0x463/0x8d0 fs/read_write.c:544 | |
73 | SYSC_write+0x172/0x360 fs/read_write.c:589 | |
74 | SyS_write+0x55/0x80 fs/read_write.c:581 | |
75 | do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 | |
76 | entry_SYSCALL_64_after_hwframe+0x3d/0xa2 | |
77 | ================================================================== | |
78 | ||
79 | Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers") | |
80 | Reported-by: syzbot+f5f6080811c849739212@syzkaller.appspotmail.com | |
81 | Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> | |
82 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
83 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
84 | --- | |
85 | drivers/net/ppp/pppoe.c | 3 +++ | |
86 | 1 file changed, 3 insertions(+) | |
87 | ||
88 | --- a/drivers/net/ppp/pppoe.c | |
89 | +++ b/drivers/net/ppp/pppoe.c | |
90 | @@ -429,6 +429,9 @@ static int pppoe_rcv(struct sk_buff *skb | |
91 | if (!skb) | |
92 | goto out; | |
93 | ||
94 | + if (skb_mac_header_len(skb) < ETH_HLEN) | |
95 | + goto drop; | |
96 | + | |
97 | if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr))) | |
98 | goto drop; | |
99 |