lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANNWa05qyDYoCe=PQT4nx99CxFtwLoNtJoNKicLUG0A_XT-Emg@mail.gmail.com>
Date: Wed, 26 Nov 2025 10:29:10 +0530
From: SHAURYA RANE <ssrane_b23@...vjti.ac.in>
To: Eric Dumazet <edumazet@...gle.com>
Cc: socketcan@...tkopp.net, mkl@...gutronix.de, jhs@...atatu.com, 
	xiyou.wangcong@...il.com, jiri@...nulli.us, davem@...emloft.net, 
	kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, 
	linux-can@...r.kernel.org, netdev@...r.kernel.org, 
	linux-kernel@...r.kernel.org, skhan@...uxfoundation.org, 
	linux-kernel-mentees@...ts.linux.dev, david.hunter.linux@...il.com, 
	khalid@...nel.org, syzbot+5d8269a1e099279152bc@...kaller.appspotmail.com
Subject: Re: [PATCH net] net/sched: em_canid: add length check before reading
 CAN ID

You're right, checking skb->len alone doesn’t guarantee that the
required bytes are present in the linear data area, especially for
fragmented skbs. I’ll switch this to a proper pskb_may_pull(skb,
sizeof(canid_t)) check to ensure the CAN ID is safely accessible.
I’ll send a v2 patch with the corrected validation.
Thanks,
Shaurya

On Wed, Nov 26, 2025 at 9:46 AM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Tue, Nov 25, 2025 at 7:46 PM <ssrane_b23@...vjti.ac.in> wrote:
> >
> > From: Shaurya Rane <ssrane_b23@...vjti.ac.in>
> >
> > Add a check to verify that the skb has at least sizeof(canid_t) bytes
> > before reading the CAN ID from skb->data. This prevents reading
> > uninitialized memory when processing malformed packets that don't
> > contain a valid CAN frame.
> >
> > Reported-by: syzbot+5d8269a1e099279152bc@...kaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=5d8269a1e099279152bc
> > Fixes: f057bbb6f9ed ("net: em_canid: Ematch rule to match CAN frames according to their identifiers")
> > Signed-off-by: Shaurya Rane <ssrane_b23@...vjti.ac.in>
> > ---
> >  net/sched/em_canid.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/net/sched/em_canid.c b/net/sched/em_canid.c
> > index 5337bc462755..a9b6cab70ff1 100644
> > --- a/net/sched/em_canid.c
> > +++ b/net/sched/em_canid.c
> > @@ -99,6 +99,9 @@ static int em_canid_match(struct sk_buff *skb, struct tcf_ematch *m,
> >         int i;
> >         const struct can_filter *lp;
> >
> > +       if (skb->len < sizeof(canid_t))
> > +               return 0;
> > +
>
> Please keep in mind that this test is not enough, even if it may
> prevent a particular syzbot repro from triggering a bug.
>
> Take a look at pskb_may_pull() for details.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ