lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANn89iLiCh85_1Ah6O_rTOCGwLet97f7DyfyZMDgfTV==iUVUw@mail.gmail.com>
Date: Tue, 25 Nov 2025 20:16:25 -0800
From: Eric Dumazet <edumazet@...gle.com>
To: ssrane_b23@...vjti.ac.in
Cc: socketcan@...tkopp.net, mkl@...gutronix.de, jhs@...atatu.com, 
	xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net, 
	kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, 
	linux-can@...r.kernel.org, netdev@...r.kernel.org, 
	linux-kernel@...r.kernel.org, skhan@...uxfoundation.org, 
	linux-kernel-mentees@...ts.linux.dev, david.hunter.linux@...il.com, 
	khalid@...nel.org, syzbot+5d8269a1e099279152bc@...kaller.appspotmail.com
Subject: Re: [PATCH net] net/sched: em_canid: add length check before reading
 CAN ID

On Tue, Nov 25, 2025 at 7:46 PM <ssrane_b23@...vjti.ac.in> wrote:
>
> From: Shaurya Rane <ssrane_b23@...vjti.ac.in>
>
> Add a check to verify that the skb has at least sizeof(canid_t) bytes
> before reading the CAN ID from skb->data. This prevents reading
> uninitialized memory when processing malformed packets that don't
> contain a valid CAN frame.
>
> Reported-by: syzbot+5d8269a1e099279152bc@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=5d8269a1e099279152bc
> Fixes: f057bbb6f9ed ("net: em_canid: Ematch rule to match CAN frames according to their identifiers")
> Signed-off-by: Shaurya Rane <ssrane_b23@...vjti.ac.in>
> ---
>  net/sched/em_canid.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/sched/em_canid.c b/net/sched/em_canid.c
> index 5337bc462755..a9b6cab70ff1 100644
> --- a/net/sched/em_canid.c
> +++ b/net/sched/em_canid.c
> @@ -99,6 +99,9 @@ static int em_canid_match(struct sk_buff *skb, struct tcf_ematch *m,
>         int i;
>         const struct can_filter *lp;
>
> +       if (skb->len < sizeof(canid_t))
> +               return 0;
> +

Please keep in mind that this test is not enough, even if it may
prevent a particular syzbot repro from triggering a bug.

Take a look at pskb_may_pull() for details.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ