CVE-2023-52843

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> llc: verify mac len before reading mac header<br /> <br /> LLC reads the mac header with eth_hdr without verifying that the skb<br /> has an Ethernet header.<br /> <br /> Syzbot was able to enter llc_rcv on a tun device. Tun can insert<br /> packets without mac len and with user configurable skb-&gt;protocol<br /> (passing a tun_pi header when not configuring IFF_NO_PI).<br /> <br /> BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]<br /> BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111<br /> llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]<br /> llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111<br /> llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218<br /> __netif_receive_skb_one_core net/core/dev.c:5523 [inline]<br /> __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637<br /> netif_receive_skb_internal net/core/dev.c:5723 [inline]<br /> netif_receive_skb+0x58/0x660 net/core/dev.c:5782<br /> tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555<br /> tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002<br /> <br /> Add a mac_len test before all three eth_hdr(skb) calls under net/llc.<br /> <br /> There are further uses in include/net/llc_pdu.h. All these are<br /> protected by a test skb-&gt;protocol == ETH_P_802_2. Which does not<br /> protect against this tun scenario.<br /> <br /> But the mac_len test added in this patch in llc_fixup_skb will<br /> indirectly protect those too. That is called from llc_rcv before any<br /> other LLC code.<br /> <br /> It is tempting to just add a blanket mac_len check in llc_rcv, but<br /> not sure whether that could break valid LLC paths that do not assume<br /> an Ethernet header. 802.2 LLC may be used on top of non-802.3<br /> protocols in principle. The below referenced commit shows that used<br /> to, on top of Token Ring.<br /> <br /> At least one of the three eth_hdr uses goes back to before the start<br /> of git history. But the one that syzbot exercises is introduced in<br /> this commit. That commit is old enough (2008), that effectively all<br /> stable kernels should receive this.