linux

mirror of https://github.com/hardkernel/linux.git synced 2026-06-05 10:31:46 +09:00

Go to file

Arnaud Lecomte b78f2b458f net: ppp: Add bound checking for skb data on ppp_sync_txmung

[ Upstream commit aabc6596ffb377c4c9c8f335124b92ea282c9821 ]

Ensure we have enough data in linear buffer from skb before accessing
initial bytes. This prevents potential out-of-bounds accesses
when processing short packets.

When ppp_sync_txmung receives an incoming package with an empty
payload:
(remote) gef➤  p *(struct pppoe_hdr *) (skb->head + skb->network_header)
$18 = {
	type = 0x1,
	ver = 0x1,
	code = 0x0,
	sid = 0x2,
        length = 0x0,
	tag = 0xffff8880371cdb96
}

from the skb struct (trimmed)
      tail = 0x16,
      end = 0x140,
      head = 0xffff88803346f400 "4",
      data = 0xffff88803346f416 ":\377",
      truesize = 0x380,
      len = 0x0,
      data_len = 0x0,
      mac_len = 0xe,
      hdr_len = 0x0,

it is not safe to access data[2].

Reported-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
Tested-by: syzbot+29fc8991b0ecb186cf40@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250408-bound-checking-ppp_txmung-v2-1-94bb6e1b92d0@arnaud-lcm.com
[pabeni@redhat.com: fixed subj typo]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

2025-04-25 10:43:26 +02:00

arch

arm64: Don't call NULL in do_compat_alignment_fixup()

2025-04-10 14:33:43 +02:00

block

block, bfq: fix re-introduced UAF in bic_set_bfqq()

2025-03-28 21:59:02 +01:00

certs

certs: Fix build error when PKCS#11 URI contains semicolon

2023-02-09 11:28:11 +01:00

crypto

crypto: api - Add crypto_clone_tfm

2024-12-14 19:53:51 +01:00

Documentation

sched/isolation: Prevent boot crash when the boot CPU is nohz_full

2025-03-28 21:58:48 +01:00

drivers

net: ppp: Add bound checking for skb data on ppp_sync_txmung

2025-04-25 10:43:26 +02:00

NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up

2025-04-10 14:33:43 +02:00

include

rtnl: add helper to check if a notification is needed

2025-04-25 10:43:25 +02:00

init

rust: Disallow BTF generation with Rust + LTO

2025-03-28 21:58:57 +01:00

io_uring

io_uring/filetable: ensure node switch is always done, if needed

2025-04-10 14:33:41 +02:00

ipc

ipc: fix memleak if msg_init_ns failed in create_ipc_ns

2024-12-14 19:54:06 +01:00

kernel

tracing: Do not use PERF enums when perf is not defined

2025-04-10 14:33:43 +02:00

lib

kunit/overflow: Fix UB in overflow_allocation_test

2025-04-10 14:33:42 +02:00

LICENSES

LICENSES/LGPL-2.1: Add LGPL-2.1-or-later as valid identifiers

2021-12-16 14:33:10 +01:00

lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock

2025-04-10 14:33:30 +02:00

net

ipv6: Align behavior across nexthops during path selection

2025-04-25 10:43:26 +02:00

rust

scripts: generate_rust_analyzer: provide cfgs for core and alloc

2025-03-28 21:58:57 +01:00

samples

samples/landlock: Fix possible NULL dereference in parse_path()

2025-02-21 13:49:03 +01:00

scripts

selinux: Chain up tool resolving errors in install_policy.sh

2025-04-10 14:33:30 +02:00

security

smack: dont compile ipv6 code unless ipv6 is configured

2025-04-10 14:33:30 +02:00

sound

ASoC: imx-card: Add NULL check in imx_card_probe()

2025-04-10 14:33:40 +02:00

tools

selftests/futex: futex_waitv wouldblock test should fail

2025-04-25 10:43:24 +02:00

usr

usr/gen_init_cpio.c: remove unnecessary -1 values from int file

2022-10-03 14:21:44 -07:00

virt

KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()

2024-06-27 13:46:21 +02:00

.clang-format

inet: ping: use hlist_nulls rcu iterator during lookup

2022-12-01 12:42:46 +01:00

.cocciconfig

scripts: add Linux .cocciconfig for coccinelle

2016-07-22 12:13:39 +02:00

.get_maintainer.ignore

get_maintainer: add Alan to .get_maintainer.ignore

2022-08-20 15:17:44 -07:00

.gitattributes

.gitattributes: use 'dts' diff driver for dts files

2019-12-04 19:44:11 -08:00

.gitignore

Remove *.orig pattern from .gitignore

2024-10-17 15:21:15 +02:00

.mailmap

Merge tag 'mm-hotfixes-stable-2022-12-10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

2022-12-10 17:10:52 -08:00

.rustfmt.toml

rust: add .rustfmt.toml

2022-09-28 09:02:20 +02:00

COPYING

COPYING: state that all contributions really are covered by this file

2020-02-10 13:32:20 -08:00

CREDITS

MAINTAINERS: Remove Michal Marek from Kbuild maintainers

2022-11-16 14:53:00 +09:00

Kbuild

Merge tag 'kbuild-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

2022-10-10 12:00:45 -07:00

Kconfig

kbuild: ensure full rebuild when the compiler is updated

2020-05-12 13:28:33 +09:00

MAINTAINERS

MAINTAINERS: add leah to 6.1 MAINTAINERS file

2024-05-17 11:56:16 +02:00

Makefile

Linux 6.1.134

2025-04-10 14:33:44 +02:00

README

Drop all 00-INDEX files from Documentation/

2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.