Patch "ppp: reject claimed-as-LCP but actually malformed packets" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 13 Jul 2024 09:34:19 -0400

This is a note to let you know that I've just added the patch titled

    ppp: reject claimed-as-LCP but actually malformed packets

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ppp-reject-claimed-as-lcp-but-actually-malformed-pac.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9d308da2bcf2c23807de4b6847b91c25b4348c66
Author: Dmitry Antipov <dmantipov@xxxxxxxxx>
Date:   Mon Jul 8 14:56:15 2024 +0300

    ppp: reject claimed-as-LCP but actually malformed packets
    
    [ Upstream commit f2aeb7306a898e1cbd03963d376f4b6656ca2b55 ]
    
    Since 'ppp_async_encode()' assumes valid LCP packets (with code
    from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that
    LCP packet has an actual body beyond PPP_LCP header bytes, and
    reject claimed-as-LCP but actually malformed data otherwise.
    
    Reported-by: syzbot+ec0723ba9605678b14bf@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://syzkaller.appspot.com/bug?extid=ec0723ba9605678b14bf
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 078c0f474f966..3cd4196b36b21 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -70,6 +70,7 @@
 #define MPHDRLEN_SSN	4	/* ditto with short sequence numbers */
 
 #define PPP_PROTO_LEN	2
+#define PPP_LCP_HDRLEN	4
 
 /*
  * An instance of /dev/ppp can be associated with either a ppp
@@ -491,6 +492,15 @@ static ssize_t ppp_read(struct file *file, char __user *buf,
 	return ret;
 }
 
+static bool ppp_check_packet(struct sk_buff *skb, size_t count)
+{
+	/* LCP packets must include LCP header which 4 bytes long:
+	 * 1-byte code, 1-byte identifier, and 2-byte length.
+	 */
+	return get_unaligned_be16(skb->data) != PPP_LCP ||
+		count >= PPP_PROTO_LEN + PPP_LCP_HDRLEN;
+}
+
 static ssize_t ppp_write(struct file *file, const char __user *buf,
 			 size_t count, loff_t *ppos)
 {
@@ -513,6 +523,11 @@ static ssize_t ppp_write(struct file *file, const char __user *buf,
 		kfree_skb(skb);
 		goto out;
 	}
+	ret = -EINVAL;
+	if (unlikely(!ppp_check_packet(skb, count))) {
+		kfree_skb(skb);
+		goto out;
+	}
 
 	switch (pf->kind) {
 	case INTERFACE:







