lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <68f7bf68.050a0220.346f24.0022.GAE@google.com>
Date: Tue, 21 Oct 2025 10:14:16 -0700
From: syzbot <syzbot+878ddc3962f792e9af59@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Re: [syzbot] [wireless?] KMSAN: uninit-value in cfg80211_classify8021d

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: Re: [syzbot] [wireless?] KMSAN: uninit-value in cfg80211_classify8021d
Author: listout@...tout.xyz

On 20.10.2025 14:07, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    98ac9cc4b445 Merge tag 'f2fs-fix-6.18-rc2' of git://git.ke..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16be6734580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
> dashboard link: https://syzkaller.appspot.com/bug?extid=878ddc3962f792e9af59
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=111e7dcd980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1223a492580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/f8ad8459a8da/disk-98ac9cc4.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/28720fa307c1/vmlinux-98ac9cc4.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/e4f310acec99/bzImage-98ac9cc4.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+878ddc3962f792e9af59@...kaller.appspotmail.com
> 
> mac80211_hwsim hwsim5 wlan1: entered allmulticast mode
> =====================================================

#syz test

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 56724b33af04..05bb49afd5ef 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -938,9 +938,9 @@ EXPORT_SYMBOL(ieee80211_amsdu_to_8023s);
 unsigned int cfg80211_classify8021d(struct sk_buff *skb,
 				    struct cfg80211_qos_map *qos_map)
 {
-	unsigned int dscp;
-	unsigned char vlan_priority;
-	unsigned int ret;
+	unsigned int dscp = 0;
+	unsigned char vlan_priority = 0;
+	unsigned int ret = 0;
 
 	/* skb->priority values from 256->263 are magic values to
 	 * directly indicate a specific 802.1d priority.  This is used
@@ -963,10 +963,18 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
 
 	switch (skb->protocol) {
 	case htons(ETH_P_IP):
-		dscp = ipv4_get_dsfield(ip_hdr(skb)) & 0xfc;
+		if (skb_network_header_len(skb) >= sizeof(struct iphdr)) {
+			struct iphdr *iph = ip_hdr(skb);
+			if (iph)
+				dscp = ipv4_get_dsfield(iph) & 0xfc;
+		}
 		break;
 	case htons(ETH_P_IPV6):
-		dscp = ipv6_get_dsfield(ipv6_hdr(skb)) & 0xfc;
+		if (skb_network_header_len(skb) >= sizeof(struct ipv6hdr)) {
+			struct ipv6hdr *ip6h = ipv6_hdr(skb);
+			if (ip6h)
+				dscp = ipv6_get_dsfield(ip6h) & 0xfc;
+		}
 		break;
 	case htons(ETH_P_MPLS_UC):
 	case htons(ETH_P_MPLS_MC): {

-- 
Regards,
listout

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ