summaryrefslogtreecommitdiff
path: root/include/linux
diff options
context:
space:
mode:
authorDaehyeon Ko <4ncienth@gmail.com>2026-07-03 17:36:33 +0900
committerPaolo Abeni <pabeni@redhat.com>2026-07-09 13:05:04 +0200
commitf5089008f90c0a7c5520dff3934e0af00adf322d (patch)
tree9aa744bbade5e6d2a7146aa3bcbb0ba8bfaa880e /include/linux
parent78237e3c0720fcc6eb9b87e90fd70f63eeca886f (diff)
macsec: don't read an unset MAC header in macsec_encrypt()
macsec_encrypt() reads the Ethernet header via eth_hdr(skb) (skb->head + skb->mac_header) to memmove() the 12 source/destination MAC bytes forward and make room for the SecTAG. On the AF_PACKET SOCK_RAW + PACKET_QDISC_BYPASS transmit path the skb reaches the macsec ndo_start_xmit() with the MAC header unset, so eth_hdr(skb) resolves to skb->head + (u16)~0 and the read is out of bounds: a 12-byte heap over-read that is also emitted on the wire as the frame's outer source/destination MAC. KASAN reports a slab-out-of-bounds read in macsec_start_xmit() on 6.0; on current mainline a CONFIG_DEBUG_NET build flags it as an unset mac header in skb_mac_header(). On the TX path the L2 header is at skb->data, so use skb_eth_hdr(), added by commit 96cc4b69581d ("macvlan: do not assume mac_header is set in macvlan_broadcast()") for exactly this purpose. Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") Cc: stable@vger.kernel.org Signed-off-by: Daehyeon Ko <4ncienth@gmail.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Link: https://patch.msgid.link/20260703083634.2035145-1-4ncienth@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions