| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANNWa06P=u44r=Nq5Er+iuJW=aEpaAq0L7HKn9id+KLjy_pEtg@mail.gmail.com>
Date: Wed, 26 Nov 2025 14:27:04 +0530
From: SHAURYA RANE <ssrane_b23@...vjti.ac.in>
To: Oliver Hartkopp <socketcan@...tkopp.net>
Cc: Marc Kleine-Budde <mkl@...gutronix.de>, Jamal Hadi Salim <jhs@...atatu.com>,
Cong Wang <xiyou.wangcong@...il.com>, Jiri Pirko <jiri@...nulli.us>,
"David S . Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>,
Rostislav Lisovy <lisovy@...il.com>, linux-can@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
linux-kernel-mentees@...ts.linux.dev, david.hunter.linux@...il.com,
khalid@...nel.org, syzbot+5d8269a1e099279152bc@...kaller.appspotmail.com
Subject: Re: [PATCH v2] net/sched: em_canid: fix uninit-value in em_canid_match
Thanks Oliver,
That makes sense EM_CANID operates on a full struct can_frame, so
ensuring CAN_MTU bytes are available is the correct approach. I’ll
update the patch accordingly and send a v3.
Thanks for the clarification!
Shaurya
On Wed, Nov 26, 2025 at 1:33 PM Oliver Hartkopp <socketcan@...tkopp.net> wrote:
>
> Hello Shaurya,
>
> many thanks that you picked up this KMSAN issue!
>
> On 26.11.25 08:06, ssrane_b23@...vjti.ac.in wrote:
> > From: Shaurya Rane <ssrane_b23@...vjti.ac.in>
> >
> > Use pskb_may_pull() to ensure the CAN ID is accessible in the linear
> > data buffer before reading it. A simple skb->len check is insufficient
> > because it only verifies the total data length but does not guarantee
> > the data is present in skb->data (it could be in fragments).
> >
> > pskb_may_pull() both validates the length and pulls fragmented data
> > into the linear buffer if necessary, making it safe to directly
> > access skb->data.
> >
> > Reported-by: syzbot+5d8269a1e099279152bc@...kaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=5d8269a1e099279152bc
> > Fixes: f057bbb6f9ed ("net: em_canid: Ematch rule to match CAN frames according to their identifiers")
> > Signed-off-by: Shaurya Rane <ssrane_b23@...vjti.ac.in>
> > ---
> > v2: Use pskb_may_pull() instead of skb->len check to properly
> > handle fragmented skbs (Eric Dumazet)
> > ---
> > net/sched/em_canid.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/net/sched/em_canid.c b/net/sched/em_canid.c
> > index 5337bc462755..2214b548fab8 100644
> > --- a/net/sched/em_canid.c
> > +++ b/net/sched/em_canid.c
> > @@ -99,6 +99,9 @@ static int em_canid_match(struct sk_buff *skb, struct tcf_ematch *m,
> > int i;
> > const struct can_filter *lp;
> >
> > + if (!pskb_may_pull(skb, sizeof(canid_t)))
>
> The EM CANID handles struct CAN frames in skb->data.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/can.h#n221
>
> The smallest type of CAN frame that can be properly handled with EM
> CANID is a Classical CAN frame which has a length of 16 bytes.
>
> Therefore I would suggest
>
> if (!pskb_may_pull(skb, CAN_MTU))
>
> instead of only checking for the first element in struct can_frame.
>
> Many thanks and best regards,
> Oliver
>
>
> > + return 0;
> > +
> > can_id = em_canid_get_id(skb);
> >
> > if (can_id & CAN_EFF_FLAG) {
>
Powered by blists - more mailing lists