CVE-2024-50033

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> slip: make slhc_remember() more robust against malicious packets<br /> <br /> syzbot found that slhc_remember() was missing checks against<br /> malicious packets [1].<br /> <br /> slhc_remember() only checked the size of the packet was at least 20,<br /> which is not good enough.<br /> <br /> We need to make sure the packet includes the IPv4 and TCP header<br /> that are supposed to be carried.<br /> <br /> Add iph and th pointers to make the code more readable.<br /> <br /> [1]<br /> <br /> BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666<br /> slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666<br /> ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455<br /> ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]<br /> ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212<br /> ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327<br /> pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379<br /> sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113<br /> __release_sock+0x1da/0x330 net/core/sock.c:3072<br /> release_sock+0x6b/0x250 net/core/sock.c:3626<br /> pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903<br /> sock_sendmsg_nosec net/socket.c:729 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:744<br /> ____sys_sendmsg+0x903/0xb60 net/socket.c:2602<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656<br /> __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742<br /> __do_sys_sendmmsg net/socket.c:2771 [inline]<br /> __se_sys_sendmmsg net/socket.c:2768 [inline]<br /> __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768<br /> x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slub.c:4091 [inline]<br /> slab_alloc_node mm/slub.c:4134 [inline]<br /> kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186<br /> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587<br /> __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678<br /> alloc_skb include/linux/skbuff.h:1322 [inline]<br /> sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732<br /> pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867<br /> sock_sendmsg_nosec net/socket.c:729 [inline]<br /> __sock_sendmsg+0x30f/0x380 net/socket.c:744<br /> ____sys_sendmsg+0x903/0xb60 net/socket.c:2602<br /> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656<br /> __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742<br /> __do_sys_sendmmsg net/socket.c:2771 [inline]<br /> __se_sys_sendmmsg net/socket.c:2768 [inline]<br /> __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768<br /> x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024