| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251117173012.230731-1-activprithvi@gmail.com> Date: Mon, 17 Nov 2025 23:00:12 +0530 From: Prithvi Tambewagh <activprithvi@...il.com> To: mkl@...gutronix.de, socketcan@...tkopp.net Cc: Prithvi Tambewagh <activprithvi@...il.com>, linux-can@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: Question about to KMSAN: uninit-value in can_receive Hello, The call trace suggests that the bug appears to be due to effect of change in headroom by pskb_header_expand(). The new headroom remains uninitialized and when can_receive tries accessing can_skb_prv(skb)->skbcnt, indirectly skb->head is accessed which causes KMSAN uninitialized value read bug. To fix this bug, I think we can call can_dropped_invalid_skb() in can_rcv() just before calling can_receive(). Further, we can add a condition for these sk_buff with uninitialized headroom to initialize the skb, the way it had been done in the patch for an earlier packet injection case in a similar KMSAN bug: https://lore.kernel.org/linux-can/20191207183418.28868-1-socketcan@hartkopp.net/ However, I am not getting on what basis can I filter the sk_buff so that only those with an uninitialized headroom will be initialized via this path. Is this the correct approach? Thank you, Prithvi
Powered by blists - more mailing lists