| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251021030035.1424912-1-1599101385@qq.com>
Date: Tue, 21 Oct 2025 11:00:35 +0800
From: clingfei <clf700383@...il.com>
To: syzbot+be97dd4da14ae88b6ba4@...kaller.appspotmail.com
Cc: davem@...emloft.net,
edumazet@...gle.com,
herbert@...dor.apana.org.au,
horms@...nel.org,
kuba@...nel.org,
linux-kernel@...r.kernel.org,
netdev@...r.kernel.org,
pabeni@...hat.com,
steffen.klassert@...unet.com,
syzkaller-bugs@...glegroups.com,
clf700383@...il.com
Subject: [PATCH] fix integer overflow in set_ipsecrequest
syzbot found that there is a kernel bug in set_ipsecrequest:
skbuff: skb_over_panic: text:ffffffff8a1fdd63 len:392 put:16 head:ffff888073664d00
data:ffff888073664d00 tail:0x188 end:0x180 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:212!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6012 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:212
Code: c7 60 10 6e 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55
41 57 41 56 e8 6e 54 f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90
90 90 90 90 90 90 90
RSP: 0018:ffffc90003d5eb68 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: bc84b821dc35fd00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000180 R08: ffffc90003d5e867 R09: 1ffff920007abd0c
R10: dffffc0000000000 R11: fffff520007abd0d R12: ffff8880720b7b50
R13: ffff888073664d00 R14: ffff888073664d00 R15: 0000000000000188
FS: 000055555b9e7500(0000) GS:ffff888125e0c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555b9e7808 CR3: 000000007ead6000 CR4: 00000000003526f0
Call Trace:
<TASK>
skb_over_panic net/core/skbuff.c:217 [inline]
skb_put+0x159/0x210 net/core/skbuff.c:2583
skb_put_zero include/linux/skbuff.h:2788 [inline]
set_ipsecrequest+0x73/0x680 net/key/af_key.c:3532
pfkey_send_migrate+0x11f2/0x1de0 net/key/af_key.c:3636
km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2838
xfrm_migrate+0x2020/0x2330 net/xfrm/xfrm_policy.c:4698
xfrm_do_migrate+0x796/0x900 net/xfrm/xfrm_user.c:3144
xfrm_user_rcv_msg+0x7a3/0xab0 net/xfrm/xfrm_user.c:3501
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
xfrm_netlink_rcv+0x79/0x90 net/xfrm/xfrm_user.c:3523
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x830 net/socket.c:2630
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2719
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The reason is that there is an integer overflow when calling set_ipsecrequest,
causing the result of `pfkey_sockaddr_pair_size(family)` is not consistent with
that used in alloc_skb, thus exceeds the total buffer size and the kernel panic.
This patch has been tested by syzbot and dit not trigger any issue:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+be97dd4da14ae88b6ba4@...kaller.appspotmail.com
> Tested-by: syzbot+be97dd4da14ae88b6ba4@...kaller.appspotmail.com
>
> Tested on:
>
> commit: 7361c864 selftests/bpf: Fix list_del() in arena list
> git tree: bpf-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1089f52f980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
> dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> patch: https://syzkaller.appspot.com/x/patch.diff?x=12bf83cd980000
>
> Note: testing is done by a robot and is best-effort only.
>From 6dc2deb09faf7d53707cc9e75e175b09644fd181 Mon Sep 17 00:00:00 2001
From: clingfei <clf700383@...il.com>
Date: Mon, 20 Oct 2025 13:48:54 +0800
Subject: [PATCH] fix integer overflow in set_ipsecrequest
syzbot reported a kernel BUG in set_ipsecrequest() due to an skb_over_panic.
The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives
family as uint8_t, causing a integer overflow and the later size_req calculation
error, which exceeds the size used in alloc_skb, and ultimately triggered the
kernel bug in skb_put.
Reported-by: syzbot+be97dd4da14ae88b6ba4@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Signed-off-by: Cheng Lingfei <clf700383@...il.com>
---
net/key/af_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..08f4cde01994 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *
static int set_ipsecrequest(struct sk_buff *skb,
uint8_t proto, uint8_t mode, int level,
- uint32_t reqid, uint8_t family,
+ uint32_t reqid, uint16_t family,
const xfrm_address_t *src, const xfrm_address_t *dst)
{
struct sadb_x_ipsecrequest *rq;
--
2.34.1
Powered by blists - more mailing lists