lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aSxpOjsmyMPlB-Mg@horms.kernel.org>
Date: Sun, 30 Nov 2025 15:56:42 +0000
From: Simon Horman <horms@...nel.org>
To: Edward Adam Davis <eadavis@...com>
Cc: syzbot+5dd615f890ddada54057@...kaller.appspotmail.com,
	davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
	pabeni@...hat.com, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] net: atm: targetless need more input msg

Hi Edward,

Thanks for taking time to look into this issue.

On Fri, Nov 28, 2025 at 11:56:25PM +0800, Edward Adam Davis wrote:
> syzbot found an uninitialized targetless variable. The user-provided
> data was only 28 bytes long, but initializing targetless requires at
> least 44 bytes. This discrepancy ultimately led to the uninitialized
> variable access issue reported by syzbot [1].
> 
> Adding a message length check to the arp update process eliminates
> the uninitialized issue in [1].
> 
> [1]
> BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
>  lec_arp_update net/atm/lec.c:1845 [inline]
>  lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
>  vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650
> 
> Reported-by: syzbot+5dd615f890ddada54057@...kaller.appspotmail.com

I think it would be useful to also include:

Closes: https://syzkaller.appspot.com/bug?extid=5dd615f890ddada54057

And as a fix for Networking code it should include a fixes tag.
Briefly examining the history of this code, using git annotate,
it seems that this problem has existed since the beginning of git history.
If so, this tag seems appropriate:

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Also, as a fix for Networking code present in the net tree,
it should be targeted at that tree, like this:

Subject: [PATCH net] ...

More information on the Networking development workflow can be found here:
https://docs.kernel.org/process/maintainer-netdev.html


> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
>  net/atm/lec.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/net/atm/lec.c b/net/atm/lec.c
> index afb8d3eb2185..178132b2771a 100644
> --- a/net/atm/lec.c
> +++ b/net/atm/lec.c
> @@ -382,6 +382,15 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
>  			break;
>  		fallthrough;
>  	case l_arp_update:
> +	{
> +		int need_size = offsetofend(struct atmlec_msg,
> +				content.normal.targetless_le_arp);
> +		if (skb->len < need_size) {

As per Eric's comment on a similar fix [1],
you should probably be using pskb_may_pull().

Also, I see that this patch addresses the l_arp_update case.
But it looks like a similar problem exist in least in the l_config case
too.

So I think it would be useful take a more holistic approach.
Perhaps in the form of a patchset if you want to restrict this
patch to addressing the specific problem flagged by syzbot.

[1] https://lore.kernel.org/netdev/20251126034601.236922-1-ssranevjti@gmail.com/

> +			pr_info("Input msg size too small, need %d got %u\n",
> +				 need_size, skb->len);
> +			dev_kfree_skb(skb);
> +			return -EINVAL;
> +		}
>  		lec_arp_update(priv, mesg->content.normal.mac_addr,
>  			       mesg->content.normal.atm_addr,
>  			       mesg->content.normal.flag,

-- 
pw-bot: changes-requested

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ