lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANn89i+ara1CeKOfuQgZ+oF3FMv3gF2BLP_7OSEEqytz-j9a-Q@mail.gmail.com>
Date: Fri, 19 Sep 2025 12:09:04 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: hariconscious@...il.com
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, 
	netdev@...r.kernel.org, shuah@...nel.org, stable@...r.kernel.org, 
	linux-kernel@...r.kernel.org, 
	syzbot+9a4fbb77c9d4aacd3388@...kaller.appspotmail.com
Subject: Re: [PATCH net] net/core : fix KMSAN: uninit value in tipc_rcv

On Fri, Sep 19, 2025 at 11:06 AM <hariconscious@...il.com> wrote:
>
> From: HariKrishna Sagala <hariconscious@...il.com>
>
> Syzbot reported an uninit-value bug on at kmalloc_reserve for
> commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of
> git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")'
>
> Syzbot KMSAN reported use of uninitialized memory originating from functions
> "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or
> "kmalloc_node_track_caller()" was not explicitly initialized.
> This can lead to undefined behavior when the allocated buffer
> is later accessed.
>
> Fix this by requesting the initialized memory using the gfp flag
> appended with the option "__GFP_ZERO".
>
> Reported-by: syzbot+9a4fbb77c9d4aacd3388@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388
> Fixes: 915d975b2ffa ("net: deal with integer overflows in
> kmalloc_reserve()")
> Tested-by: syzbot+9a4fbb77c9d4aacd3388@...kaller.appspotmail.com
> Signed-off-by: HariKrishna Sagala <hariconscious@...il.com>
> ---
>  net/core/skbuff.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index ee0274417948..2308ebf99bbd 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node,
>         void *obj;
>
>         obj_size = SKB_HEAD_ALIGN(*size);
> +       flags |= __GFP_ZERO;

Certainly not.

Some of us care about performance.

Moreover, the bug will be still there for non linear skbs.

So please fix tipc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ