[net] ppp: fix ppp_async_encode() illegal access

Commit Message

Eric Dumazet Oct. 9, 2024, 6:58 p.m. UTC

syzbot reported an issue in ppp_async_encode() [1]

In this case, pppoe_sendmsg() is called with a zero size.
Then ppp_async_encode() is called with an empty skb.

BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
 BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
  ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
  ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
  ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634
  ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
  ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
  pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
  sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
  __release_sock+0x1da/0x330 net/core/sock.c:3072
  release_sock+0x6b/0x250 net/core/sock.c:3626
  pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:4092 [inline]
  slab_alloc_node mm/slub.c:4135 [inline]
  kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
  __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
  alloc_skb include/linux/skbuff.h:1322 [inline]
  sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
  pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
  sock_sendmsg_nosec net/socket.c:729 [inline]
  __sock_sendmsg+0x30f/0x380 net/socket.c:744
  ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
  __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
  __do_sys_sendmmsg net/socket.c:2771 [inline]
  __se_sys_sendmmsg net/socket.c:2768 [inline]
  __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
  x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+1d121645899e7692f92a@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 drivers/net/ppp/ppp_async.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Simon Horman Oct. 10, 2024, 10:04 a.m. UTC | #1

On Wed, Oct 09, 2024 at 06:58:02PM +0000, Eric Dumazet wrote:
> syzbot reported an issue in ppp_async_encode() [1]
> 
> In this case, pppoe_sendmsg() is called with a zero size.
> Then ppp_async_encode() is called with an empty skb.
> 
> BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
>  BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
>   ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
>   ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
>   ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634
>   ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
>   ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
>   pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
>   sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
>   __release_sock+0x1da/0x330 net/core/sock.c:3072
>   release_sock+0x6b/0x250 net/core/sock.c:3626
>   pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
>   sock_sendmsg_nosec net/socket.c:729 [inline]
>   __sock_sendmsg+0x30f/0x380 net/socket.c:744
>   ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
>   ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
>   __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
>   __do_sys_sendmmsg net/socket.c:2771 [inline]
>   __se_sys_sendmmsg net/socket.c:2768 [inline]
>   __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
>   x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> Uninit was created at:
>   slab_post_alloc_hook mm/slub.c:4092 [inline]
>   slab_alloc_node mm/slub.c:4135 [inline]
>   kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
>   kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
>   __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
>   alloc_skb include/linux/skbuff.h:1322 [inline]
>   sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
>   pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
>   sock_sendmsg_nosec net/socket.c:729 [inline]
>   __sock_sendmsg+0x30f/0x380 net/socket.c:744
>   ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
>   ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
>   __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
>   __do_sys_sendmmsg net/socket.c:2771 [inline]
>   __se_sys_sendmmsg net/socket.c:2768 [inline]
>   __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
>   x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: syzbot+1d121645899e7692f92a@syzkaller.appspotmail.com
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Simon Horman <horms@kernel.org>

patchwork-bot+netdevbpf@kernel.org Oct. 10, 2024, 4:10 p.m. UTC | #2

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed,  9 Oct 2024 18:58:02 +0000 you wrote:
> syzbot reported an issue in ppp_async_encode() [1]
> 
> In this case, pppoe_sendmsg() is called with a zero size.
> Then ppp_async_encode() is called with an empty skb.
> 
> BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
>  BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
>   ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
>   ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
>   ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634
>   ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
>   ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
>   pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
>   sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
>   __release_sock+0x1da/0x330 net/core/sock.c:3072
>   release_sock+0x6b/0x250 net/core/sock.c:3626
>   pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
>   sock_sendmsg_nosec net/socket.c:729 [inline]
>   __sock_sendmsg+0x30f/0x380 net/socket.c:744
>   ____sys_sendmsg+0x903/0xb60 net/socket.c:2602
>   ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
>   __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
>   __do_sys_sendmmsg net/socket.c:2771 [inline]
>   __se_sys_sendmmsg net/socket.c:2768 [inline]
>   __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
>   x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> [...]

Here is the summary with links:
  - [net] ppp: fix ppp_async_encode() illegal access
    https://git.kernel.org/netdev/net/c/40dddd4b8bd0

You are awesome, thank you!

Patch

diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c
index a940b9a67107a9f1523ecaae5d49448d977cfe00..c97406c6004d421623c1a3b0b8e30e9237c1dfeb 100644
--- a/drivers/net/ppp/ppp_async.c
+++ b/drivers/net/ppp/ppp_async.c
@@ -542,7 +542,7 @@  ppp_async_encode(struct asyncppp *ap)
 	 * and 7 (code-reject) must be sent as though no options
 	 * had been negotiated.
 	 */
-	islcp = proto == PPP_LCP && 1 <= data[2] && data[2] <= 7;
+	islcp = proto == PPP_LCP && count >= 3 && 1 <= data[2] && data[2] <= 7;
 
 	if (i == 0) {
 		if (islcp)