| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_AF3D7D376E965E371A4BBE74CF765566DE09@qq.com>
Date: Mon, 1 Dec 2025 09:35:00 +0800
From: Edward Adam Davis <eadavis@...com>
To: horms@...nel.org
Cc: davem@...emloft.net,
eadavis@...com,
edumazet@...gle.com,
kuba@...nel.org,
linux-kernel@...r.kernel.org,
netdev@...r.kernel.org,
pabeni@...hat.com,
syzbot+5dd615f890ddada54057@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] net: atm: targetless need more input msg
Sun, 30 Nov 2025 15:56:42 +0000, Simon Horman wrote:
> > syzbot found an uninitialized targetless variable. The user-provided
> > data was only 28 bytes long, but initializing targetless requires at
> > least 44 bytes. This discrepancy ultimately led to the uninitialized
> > variable access issue reported by syzbot [1].
> >
> > Adding a message length check to the arp update process eliminates
> > the uninitialized issue in [1].
> >
> > [1]
> > BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
> > lec_arp_update net/atm/lec.c:1845 [inline]
> > lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
> > vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650
> >
> > Reported-by: syzbot+5dd615f890ddada54057@...kaller.appspotmail.com
>
> I think it would be useful to also include:
>
> Closes: https://syzkaller.appspot.com/bug?extid=5dd615f890ddada54057
>
> And as a fix for Networking code it should include a fixes tag.
> Briefly examining the history of this code, using git annotate,
> it seems that this problem has existed since the beginning of git history.
> If so, this tag seems appropriate:
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>
> Also, as a fix for Networking code present in the net tree,
> it should be targeted at that tree, like this:
>
> Subject: [PATCH net] ...
Thanks very much for your oppinions. I will send v2 for it.
>
> More information on the Networking development workflow can be found here:
> https://docs.kernel.org/process/maintainer-netdev.html
>
>
> > Signed-off-by: Edward Adam Davis <eadavis@...com>
> > ---
> > net/atm/lec.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/net/atm/lec.c b/net/atm/lec.c
> > index afb8d3eb2185..178132b2771a 100644
> > --- a/net/atm/lec.c
> > +++ b/net/atm/lec.c
> > @@ -382,6 +382,15 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
> > break;
> > fallthrough;
> > case l_arp_update:
> > + {
> > + int need_size = offsetofend(struct atmlec_msg,
> > + content.normal.targetless_le_arp);
> > + if (skb->len < need_size) {
>
> As per Eric's comment on a similar fix [1],
> you should probably be using pskb_may_pull().
The pskb_may_pull() function performs a more thorough check of the skb
length, which is especially suitable for handling non-linear data areas.
>
> Also, I see that this patch addresses the l_arp_update case.
> But it looks like a similar problem exist in least in the l_config case
> too.
I noticed this, and it's not just these; several types of atmlec_msg
handled in lec_atm_send() are also involved.
Strictly speaking, they all require relevant checks.
>
> So I think it would be useful take a more holistic approach.
> Perhaps in the form of a patchset if you want to restrict this
> patch to addressing the specific problem flagged by syzbot.
Okay, I'll carefully consider how to handle the others.
>
> [1] https://lore.kernel.org/netdev/20251126034601.236922-1-ssranevjti@gmail.com/
>
> > + pr_info("Input msg size too small, need %d got %u\n",
> > + need_size, skb->len);
> > + dev_kfree_skb(skb);
> > + return -EINVAL;
> > + }
> > lec_arp_update(priv, mesg->content.normal.mac_addr,
> > mesg->content.normal.atm_addr,
> > mesg->content.normal.flag,
Powered by blists - more mailing lists