lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251106192423.412977-1-activprithvi@gmail.com>
Date: Fri,  7 Nov 2025 00:54:23 +0530
From: Prithvi Tambewagh <activprithvi@...il.com>
To: davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	alexanderduyck@...com,
	chuck.lever@...cle.com,
	linyunsheng@...wei.com
Cc: netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	skhan@...uxfoundation.org,
	david.hunter.linux@...il.com,
	khalid@...nel.org,
	linux-kernel-mentees@...ts.linux.dev,
	Prithvi Tambewagh <activprithvi@...il.com>,
	syzbot+4b8a1e4690e64b018227@...kaller.appspotmail.com
Subject: [PATCH] net: core: Initialize new header to zero in pskb_expand_head

KMSAN reports uninitialized value in can_receive(). The crash trace shows
the uninitialized value was created in pskb_expand_head(). This function
expands header of a socket buffer using kmalloc_reserve() which doesn't
zero-initialize the memory. When old packet data is copied to the new
buffer at an offset of data+nhead, new header area (first nhead bytes of
the new buffer) are left uninitialized. This is fixed by using memset()
to zero-initialize this header of the new buffer.

Reported-by: syzbot+4b8a1e4690e64b018227@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4b8a1e4690e64b018227
Signed-off-by: Prithvi Tambewagh <activprithvi@...il.com>
---
 net/core/skbuff.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 6841e61a6bd0..3486271260ac 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2282,6 +2282,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	 */
 	memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
 
+	memset(data, 0, size);
+
 	memcpy((struct skb_shared_info *)(data + size),
 	       skb_shinfo(skb),
 	       offsetof(struct skb_shared_info, frags[skb_shinfo(skb)->nr_frags]));
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ