From nobody Sun Jun 21 02:29:41 2026 Received: from mout-y-209.mailbox.org (mout-y-209.mailbox.org [91.198.250.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B34C329BDB4; Wed, 8 Apr 2026 17:24:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.198.250.237 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775669087; cv=none; b=l1ujYJG5C+OiUIXgYbZ396s5hQ2144WPzEAGH4oK3QvMypnAdZ9s9CbnRFPaUGC5UM3gdhkWNV7MGcC4QbGybIuef/PzWXrSWaPtIhbtL98y+7t5SBYeUorV9rXB9YqrBdPG1NJqE6xw5ATC1e3urNbjbK+YH9xi9D2fwDZw01g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775669087; c=relaxed/simple; bh=+bDCbb8aBa+aED379bW+tQAawG2MwnKuPhBmpuxtEzE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=plTGMznBbM/XaBbtdhAuDeSegn9Uk8NN9IlbIbaDBCaOD9pms0xNH5q17pZfSpA9pFjG6PSTvJ3WlzReHeIgs6/ZSG+fm5/U/a/eeoiMcZSFjvh68oc9DkUwSw/tTVsUac4AchZZOxq7znoTyb1Efb2TCviFZecn0hEXbMxORhQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org; spf=pass smtp.mailfrom=mailbox.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=qP3gKH4t; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=c5G4GbAU; arc=none smtp.client-ip=91.198.250.237 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mailbox.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="qP3gKH4t"; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="c5G4GbAU" Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-y-209.mailbox.org (Postfix) with ESMTPS id 4frVLM13Y6zB15Y; Wed, 8 Apr 2026 19:24:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775669083; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qaeMhsOtJt+rHdsiAnmX/WY9szbjdk96l7AUuPEpvec=; b=qP3gKH4tWZcehFYW3s5ayevIXnVJXZqNtekFcznXElntOkszYYZMYhFmuOgkr0BkoguRlr Mq0E5KIrvlirz0a0gBKlQCcluZUesQi1NZUK5BbTibqZHkMhvnlOR3AgM+ozZuIb9Um2ma 3QPRgp5I7CmpMkBQDAFLcpoekGj1wD90IpTMw3p1u9qbZBuTk8slhDeKs38Nlnh2X7E80G NdpRUtateEpJH6vXx7xWmFszPT52DLiH31yIUpqj+s7Dy8znJ5dFYcHHw/SoKx/uJ69m6K BhavS/FUAVJO/fW+ZCznzjKtKS625s9AuqQsM4KOxR+lEyb4Xdo1K7OhpCeMGg== Authentication-Results: outgoing_mbo_mout; dkim=pass header.d=mailbox.org header.s=mail20150812 header.b=c5G4GbAU; spf=pass (outgoing_mbo_mout: domain of mashiro.chen@mailbox.org designates 2001:67c:2050:b231:465::1 as permitted sender) smtp.mailfrom=mashiro.chen@mailbox.org From: Mashiro Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775669081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qaeMhsOtJt+rHdsiAnmX/WY9szbjdk96l7AUuPEpvec=; b=c5G4GbAUkFimoGgWO8W8CWjD6RPhv+OewqvdDrBSW/XuJ3Wuhr8VA7DRWJ7TIFLCJ9qbBk lkOWTpT1DDyph0xGiTYn+URhfHoqeRn1juFJggqEjklZS9WvDW23cxo4NkdTcgahuwxAH4 YFdr21cBgN510DvAsNePfKLTXq5FWRSN+oTh0qmT3hOeUXlmOFk9MF9fsxTzpTUMSKVjH0 vZXX6fZwK9HkNH5vR8UOn+RQzlQCC+mqW8RyFS+mUPYmtFEPKjNI+9JC5t/ELxzkNcB8Zm wH3AEt779a0/s/ypi38RkPGCnwl3wpvgsvtzSpzq5eU4744V7TXB8zBPcopZYw== To: netdev@vger.kernel.org Cc: andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, jreuter@yaina.de, linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org, Mashiro Chen , stable@vger.kernel.org Subject: [PATCH net 1/2] net: hamradio: bpqether: validate frame length in bpq_rcv() Date: Thu, 9 Apr 2026 01:23:57 +0800 Message-ID: <20260408172358.281186-2-mashiro.chen@mailbox.org> In-Reply-To: <20260408172358.281186-1-mashiro.chen@mailbox.org> References: <20260408172358.281186-1-mashiro.chen@mailbox.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MBO-RS-META: nwn1bintp8o4r8pc7y7mwbhhg45xny8m X-MBO-RS-ID: 5d1e2c214e5180d5c86 X-Rspamd-Queue-Id: 4frVLM13Y6zB15Y Content-Type: text/plain; charset="utf-8" The BPQ length field is decoded as: len =3D skb->data[0] + skb->data[1] * 256 - 5; If the sender sets bytes [0..1] to values whose combined value is less than 5, len becomes negative. Passing a negative int to skb_trim() silently converts to a huge unsigned value, causing the function to be a no-op. The frame is then passed up to AX.25 with its original (untrimmed) payload, delivering garbage beyond the declared frame boundary. Additionally, a negative len corrupts the 64-bit rx_bytes counter through implicit sign-extension. Add a bounds check before pulling the length bytes: reject frames where len is negative or exceeds the remaining skb data. Cc: stable@vger.kernel.org Cc: linux-hams@vger.kernel.org Signed-off-by: Mashiro Chen Acked-by: Joerg Reuter --- drivers/net/hamradio/bpqether.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/hamradio/bpqether.c b/drivers/net/hamradio/bpqethe= r.c index 045c5177262eaf..214fd1f819a1bb 100644 --- a/drivers/net/hamradio/bpqether.c +++ b/drivers/net/hamradio/bpqether.c @@ -187,6 +187,9 @@ static int bpq_rcv(struct sk_buff *skb, struct net_devi= ce *dev, struct packet_ty =20 len =3D skb->data[0] + skb->data[1] * 256 - 5; =20 + if (len < 0 || len > skb->len - 2) + goto drop_unlock; + skb_pull(skb, 2); /* Remove the length bytes */ skb_trim(skb, len); /* Set the length of the data */ =20 --=20 2.53.0 From nobody Sun Jun 21 02:29:41 2026 Received: from mout-y-209.mailbox.org (mout-y-209.mailbox.org [91.198.250.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 151233537FC; Wed, 8 Apr 2026 17:24:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.198.250.237 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775669095; cv=none; b=duDK6a7btAaytZ7s7I+BLF1P3W7z/58n+VqciANhHIDZJRUJbIwZFD8dPp+dzpJjaBWDXCZTcDew+ar6q4mJgcMEdPgFFMOwEljVyrrtsias4RBZqCgSYf+Qf3vVhIWR+XvirSxxoNep4xVVo1gaqz7q7z1TojCSjsGq6hDcXWc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775669095; c=relaxed/simple; bh=bz6DeQbiP7xoXyOE9h5UCwgEAp8Gh8vLP0VgCf2MbRE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Nu/uOMlDQPr9Xo3mwwNCrVGbEWwm6+zWa/zUlYo43uCLfGAKNEy2UVd4u9olbdYZ6Pnbn/mV4NYFiA9KQagPdeHwzJ+fyBLTh8J/KPaQDLoXYsx12Lo647sDKceWV9EWVr97i14W9hd5vssu5xM6KXLfzQPiw5iUgt53yEnf6oU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org; spf=pass smtp.mailfrom=mailbox.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=pnRliNSf; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b=RwALqI/1; arc=none smtp.client-ip=91.198.250.237 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=mailbox.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mailbox.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="pnRliNSf"; dkim=pass (2048-bit key) header.d=mailbox.org header.i=@mailbox.org header.b="RwALqI/1" Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-y-209.mailbox.org (Postfix) with ESMTPS id 4frVLX26PdzB151; Wed, 8 Apr 2026 19:24:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775669092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7CucOw+3o0ShETswcg1eFTVDQgnIGwB/8Mftn1DdDHE=; b=pnRliNSfEyOp/DOwaTPiiOGmDQwuRS4xDACZ/kIIr6CbaDCjPJARHztl9xCsPmznRXcism 8cbZimUtQUlPUxVBYFUtCH6fTGKJEvEo18hQUbtrL01O9G5wt4q7PWR3+J4JW8XAATWpEC yvfmocU3YB8MY75uBolnFEElirDrw/yENjeBEeC8lK2OW1OtS4c4+LtzgICnTHzkzaz1pH XiKq0qGrx4q2hvGlUByIOa0qXii0K0csuLlTyskO7WcgxCeHnvQM14QuUxz1PexN2uLz9b a8irHW3D6Y0B94w3mPSdmjf3jdwDzVbIjIzKAb8MGj2VB9ZLw0G//NZHW1Qrew== Authentication-Results: outgoing_mbo_mout; dkim=pass header.d=mailbox.org header.s=mail20150812 header.b="RwALqI/1"; spf=pass (outgoing_mbo_mout: domain of mashiro.chen@mailbox.org designates 2001:67c:2050:b231:465::1 as permitted sender) smtp.mailfrom=mashiro.chen@mailbox.org From: Mashiro Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailbox.org; s=mail20150812; t=1775669090; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7CucOw+3o0ShETswcg1eFTVDQgnIGwB/8Mftn1DdDHE=; b=RwALqI/14CCu85sz1xVtVyM3VM5w8lP6eqiht6G5cuJO0r4XKo4BaVq/kVM1bF9XykQENR 1i9ZQADdq3WopDOAqO59ORNWI1NxpzxSjbGjyckEsuFVQ5hvOCVXcuuF2kzXTERlk7xfT1 R9EZPnYhDVHjhyidLUIxqtoPVqa8yQBxDDZQsh4GDXT5gg9xkcdJZW+RwYsbgGzukUjgZV 0rJL1CM1dMWQq44O9mSHm6eH5N7NZv6+9W7CJ3DPd/kNo46zjmqgtwS5CWbwiIrvZ+xqN1 EjWwfSm5qVBkF6XgDj2nadYKQcyvM3/2cVDgnXN6JH4rUNOuiZuySsApWe/bZQ== To: netdev@vger.kernel.org Cc: andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, jreuter@yaina.de, linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org, Mashiro Chen , stable@vger.kernel.org Subject: [PATCH net 2/2] net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl Date: Thu, 9 Apr 2026 01:23:58 +0800 Message-ID: <20260408172358.281186-3-mashiro.chen@mailbox.org> In-Reply-To: <20260408172358.281186-1-mashiro.chen@mailbox.org> References: <20260408172358.281186-1-mashiro.chen@mailbox.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MBO-RS-ID: 16c0321e162ddce80c2 X-MBO-RS-META: ks1jgtkanugppeu46kqs3zddtnpm51yh X-Rspamd-Queue-Id: 4frVLX26PdzB151 Content-Type: text/plain; charset="utf-8" The SIOCSCCSMEM ioctl copies a scc_mem_config from user space and assigns its bufsize field directly to scc->stat.bufsize without any range validation: scc->stat.bufsize =3D memcfg.bufsize; If a privileged user (CAP_SYS_RAWIO) sets bufsize to 0, the receive interrupt handler later calls dev_alloc_skb(0) and immediately writes a KISS type byte via skb_put_u8() into a zero-capacity socket buffer, corrupting the adjacent skb_shared_info region. The scc.c comment already states the buffer must not exceed 4096 bytes, but this limit is never enforced. Add a bounds check that rejects values outside the range [16, 4096], consistent with the documented constraint and large enough to hold at least one KISS header byte plus useful data. Cc: stable@vger.kernel.org Cc: linux-hams@vger.kernel.org Signed-off-by: Mashiro Chen --- drivers/net/hamradio/scc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/hamradio/scc.c b/drivers/net/hamradio/scc.c index ae5048efde686a..fd3ff3f4311df2 100644 --- a/drivers/net/hamradio/scc.c +++ b/drivers/net/hamradio/scc.c @@ -1909,6 +1909,8 @@ static int scc_net_siocdevprivate(struct net_device *= dev, if (!capable(CAP_SYS_RAWIO)) return -EPERM; if (!arg || copy_from_user(&memcfg, arg, sizeof(memcfg))) return -EINVAL; + if (memcfg.bufsize < 16 || memcfg.bufsize > 4096) + return -EINVAL; scc->stat.bufsize =3D memcfg.bufsize; return 0; =09 --=20 2.53.0