lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251106165732.6ea6bd87@kernel.org>
Date: Thu, 6 Nov 2025 16:57:32 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Prithvi Tambewagh <activprithvi@...il.com>
Cc: davem@...emloft.net, edumazet@...gle.com, pabeni@...hat.com,
 horms@...nel.org, alexanderduyck@...com, chuck.lever@...cle.com,
 linyunsheng@...wei.com, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
 david.hunter.linux@...il.com, khalid@...nel.org,
 linux-kernel-mentees@...ts.linux.dev,
 syzbot+4b8a1e4690e64b018227@...kaller.appspotmail.com
Subject: Re: [PATCH] net: core: Initialize new header to zero in
 pskb_expand_head

On Fri,  7 Nov 2025 00:54:23 +0530 Prithvi Tambewagh wrote:
> KMSAN reports uninitialized value in can_receive(). The crash trace shows
> the uninitialized value was created in pskb_expand_head(). This function
> expands header of a socket buffer using kmalloc_reserve() which doesn't
> zero-initialize the memory. When old packet data is copied to the new
> buffer at an offset of data+nhead, new header area (first nhead bytes of
> the new buffer) are left uninitialized. This is fixed by using memset()
> to zero-initialize this header of the new buffer.

It's caller's responsibility to initialize the skb data, please leave
the core alone..

> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index 6841e61a6bd0..3486271260ac 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -2282,6 +2282,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
>  	 */
>  	memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
>  
> +	memset(data, 0, size);

We just copied the data in there, and now you're zeroing it.

>  	memcpy((struct skb_shared_info *)(data + size),
-- 
pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ