This is a note to let you know that I've just added the patch titled
net: hsr: check skb can contain struct hsr_ethhdr in fill_frame_info
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-hsr-check-skb-can-contain-struct-hsr_ethhdr-in-f.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 6983bd337551a4816009d6e07b30885bc4024f7a
Author: Phillip Potter <phil@xxxxxxxxxxxxxxxx>
Date: Sun May 2 22:34:42 2021 +0100
net: hsr: check skb can contain struct hsr_ethhdr in fill_frame_info
[ Upstream commit 2e9f60932a2c19e8a11b4a69d419f107024b05a0 ]
Check at start of fill_frame_info that the MAC header in the supplied
skb is large enough to fit a struct hsr_ethhdr, as otherwise this is
not a valid HSR frame. If it is too small, return an error which will
then cause the callers to clean up the skb. Fixes a KMSAN-found
uninit-value bug reported by syzbot at:
https://syzkaller.appspot.com/bug?id=f7e9b601f1414f814f7602a82b6619a8d80bce3f
Reported-by: syzbot+e267bed19bfc5478fb33@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Phillip Potter <phil@xxxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index b4e06ae08834..90c72e4c0a8f 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -493,6 +493,10 @@ static int fill_frame_info(struct hsr_frame_info *frame,
struct ethhdr *ethhdr;
__be16 proto;
+ /* Check if skb contains hsr_ethhdr */
+ if (skb->mac_len < sizeof(struct hsr_ethhdr))
+ return -EINVAL;
+
memset(frame, 0, sizeof(*frame));
frame->is_supervision = is_supervision_frame(port->hsr, skb);
frame->node_src = hsr_get_node(port, &hsr->node_db, skb,
