net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The SIOCSCCSMEM ioctl copies a scc_mem_config from user space and
assigns its bufsize field directly to scc->stat.bufsize without any
range validation:

scc->stat.bufsize = memcfg.bufsize;

If a privileged user (CAP_SYS_RAWIO) sets bufsize to 0, the receive
interrupt handler later calls dev_alloc_skb(0) and immediately writes
a KISS type byte via skb_put_u8() into a zero-capacity socket buffer,
corrupting the adjacent skb_shared_info region.

Reject bufsize values smaller than 16; this is large enough to hold
at least one KISS header byte plus useful data.

Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org>
Acked-by: Joerg Reuter <jreuter@yaina.de>
Link: https://patch.msgid.link/20260409024927.24397-3-mashiro.chen@mailbox.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Mashiro Chen and committed by

Jakub Kicinski 3 days ago 8263e484 6183bd87

1 changed file

expand all

drivers

net

hamradio

scc.c

drivers/net/hamradio/scc.c

··· 1909 1909 if (!capable(CAP_SYS_RAWIO)) return -EPERM; 1910 1910 if (!arg || copy_from_user(&memcfg, arg, sizeof(memcfg))) 1911 1911 return -EINVAL; 1912 + if (memcfg.bufsize < 16) 1913 + return -EINVAL; 1912 1914 scc->stat.bufsize = memcfg.bufsize; 1913 1915 return 0; 1914 1916