Patch "netrom: check buffer length before accessing it" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 4 Jan 2025 09:36:07 -0500

This is a note to let you know that I've just added the patch titled

    netrom: check buffer length before accessing it

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netrom-check-buffer-length-before-accessing-it.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit b6f5f8b3161a61d19851364fd051d9a2331ed15e
Author: Ilya Shchipletsov <rabbelkin@xxxxxxx>
Date:   Thu Dec 19 08:23:07 2024 +0000

    netrom: check buffer length before accessing it
    
    [ Upstream commit a4fd163aed2edd967a244499754dec991d8b4c7d ]
    
    Syzkaller reports an uninit value read from ax25cmp when sending raw message
    through ieee802154 implementation.
    
    =====================================================
    BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
     ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
     nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601
     nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774
     nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144
     __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
     netdev_start_xmit include/linux/netdevice.h:4954 [inline]
     xmit_one net/core/dev.c:3548 [inline]
     dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
     __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
     dev_queue_xmit include/linux/netdevice.h:3134 [inline]
     raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299
     ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
     sock_sendmsg_nosec net/socket.c:730 [inline]
     __sock_sendmsg net/socket.c:745 [inline]
     ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
     ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
     __sys_sendmsg net/socket.c:2667 [inline]
     __do_sys_sendmsg net/socket.c:2676 [inline]
     __se_sys_sendmsg net/socket.c:2674 [inline]
     __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    Uninit was created at:
     slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
     slab_alloc_node mm/slub.c:3478 [inline]
     kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
     kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
     __alloc_skb+0x318/0x740 net/core/skbuff.c:651
     alloc_skb include/linux/skbuff.h:1286 [inline]
     alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
     sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780
     sock_alloc_send_skb include/net/sock.h:1884 [inline]
     raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282
     ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
     sock_sendmsg_nosec net/socket.c:730 [inline]
     __sock_sendmsg net/socket.c:745 [inline]
     ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
     ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
     __sys_sendmsg net/socket.c:2667 [inline]
     __do_sys_sendmsg net/socket.c:2676 [inline]
     __se_sys_sendmsg net/socket.c:2674 [inline]
     __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    
    CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
    =====================================================
    
    This issue occurs because the skb buffer is too small, and it's actual
    allocation is aligned. This hides an actual issue, which is that nr_route_frame
    does not validate the buffer size before using it.
    
    Fix this issue by checking skb->len before accessing any fields in skb->data.
    
    Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Co-developed-by: Nikita Marushkin <hfggklm@xxxxxxxxx>
    Signed-off-by: Nikita Marushkin <hfggklm@xxxxxxxxx>
    Signed-off-by: Ilya Shchipletsov <rabbelkin@xxxxxxx>
    Link: https://patch.msgid.link/20241219082308.3942-1-rabbelkin@xxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
index 85e4637dc8ab..e1a682690154 100644
--- a/net/netrom/nr_route.c
+++ b/net/netrom/nr_route.c
@@ -751,6 +751,12 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
 	int ret;
 	struct sk_buff *skbn;
 
+	/*
+	 * Reject malformed packets early. Check that it contains at least 2
+	 * addresses and 1 byte more for Time-To-Live
+	 */
+	if (skb->len < 2 * sizeof(ax25_address) + 1)
+		return 0;
 
 	nr_src  = (ax25_address *)(skb->data + 0);
 	nr_dest = (ax25_address *)(skb->data + 7);







