CVE-2024-56648

In the Linux kernel, the following vulnerability has been resolved:

net: hsr: avoid potential out-of-bound access in fillframeinfo()

syzbot is able to feed a packet with 14 bytes, pretending it is a vlan one.

Since fillframeinfo() is relying on skb->mac_len already, extend the check to cover this case.

BUG: KMSAN: uninit-value in fillframeinfo net/hsr/hsrforward.c:709 [inline] BUG: KMSAN: uninit-value in hsrforwardskb+0x9ee/0x3b10 net/hsr/hsrforward.c:724 fillframeinfo net/hsr/hsrforward.c:709 [inline] hsrforwardskb+0x9ee/0x3b10 net/hsr/hsrforward.c:724 hsrdevxmit+0x2f0/0x350 net/hsr/hsr_device.c:235 __netdevstartxmit include/linux/netdevice.h:5002 [inline] netdevstartxmit include/linux/netdevice.h:5011 [inline] xmitone net/core/dev.c:3590 [inline] devhardstartxmit+0x247/0xa20 net/core/dev.c:3606 __devqueuexmit+0x366a/0x57d0 net/core/dev.c:4434 devqueuexmit include/linux/netdevice.h:3168 [inline] packetxmit+0x9c/0x6c0 net/packet/afpacket.c:276 packetsnd net/packet/afpacket.c:3146 [inline] packetsendmsg+0x91ae/0xa6f0 net/packet/afpacket.c:3178 socksendmsgnosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __dosyssendto net/socket.c:2204 [inline] __sesyssendto net/socket.c:2200 [inline] _x64syssendto+0x125/0x1d0 net/socket.c:2200 x64syscall+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls64.h:45 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x1e0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f

Uninit was created at: slabpostallochook mm/slub.c:4091 [inline] slaballocnode mm/slub.c:4134 [inline] kmemcacheallocnodenoprof+0x6bf/0xb80 mm/slub.c:4186 kmallocreserve+0x13d/0x4a0 net/core/skbuff.c:587 __allocskb+0x363/0x7b0 net/core/skbuff.c:678 allocskb include/linux/skbuff.h:1323 [inline] alloc_skbwithfrags+0xc8/0xd00 net/core/skbuff.c:6612 sockallocsendpskb+0xa81/0xbf0 net/core/sock.c:2881 packetallocskb net/packet/afpacket.c:2995 [inline] packetsnd net/packet/afpacket.c:3089 [inline] packetsendmsg+0x74c6/0xa6f0 net/packet/afpacket.c:3178 socksendmsgnosec net/socket.c:711 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:726 __sys_sendto+0x594/0x750 net/socket.c:2197 __dosyssendto net/socket.c:2204 [inline] __sesyssendto net/socket.c:2200 [inline] _x64syssendto+0x125/0x1d0 net/socket.c:2200 x64syscall+0x346a/0x3c30 arch/x86/include/generated/asm/syscalls64.h:45 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x1e0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f