The ppp program adds a 2-byte pseudo-header for socket filters, which is normally skipped by regular BPF programs generated by libpcap, causing no issues. However, for abnormal BPF programs that use these uninitialized 2 bytes, a KMSAN warning is triggered. Reported-by: syzbot+853242d9c9917165d791@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://lore.kernel.org/bpf/000000000000dea025060d6bc3bc@xxxxxxxxxx/ Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx> --- drivers/net/ppp/ppp_generic.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index 4583e15ad03a..ac95196c85df 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -1762,10 +1762,16 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) if (proto < 0x8000) { #ifdef CONFIG_PPP_FILTER - /* check if we should pass this packet */ - /* the filter instructions are constructed assuming - a four-byte PPP header on each packet */ - *(u8 *)skb_push(skb, 2) = 1; + /* Check if we should pass this packet. + * BPF filter instructions assume each PPP packet has a 4-byte + * header (e.g., those generated by libpcap), and then default + * to skipping the first 2 bytes at the beginning of the + * instruction. However, we still need to initialize these + * 2-byte new headers to prevent crafted BPF programs from + * reading them which would cause reading of uninitialized + * data. Here, we set the headers according to the RFC 1662. + */ + *(u16 *)skb_push(skb, 2) = htons(0xff03); if (ppp->pass_filter && bpf_prog_run(ppp->pass_filter, skb) == 0) { if (ppp->debug & 1) -- 2.47.1
