lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e3c1117c-144e-4f4e-ad43-d0a11bc2ecaa@redhat.com>
Date: Thu, 4 Dec 2025 11:26:53 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: Edward Adam Davis <eadavis@...com>,
 syzbot+5dd615f890ddada54057@...kaller.appspotmail.com
Cc: davem@...emloft.net, edumazet@...gle.com, horms@...nel.org,
 kuba@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
 syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] net: atm: targetless need more input msg

On 11/28/25 4:56 PM, Edward Adam Davis wrote:
> syzbot found an uninitialized targetless variable. The user-provided
> data was only 28 bytes long, but initializing targetless requires at
> least 44 bytes. This discrepancy ultimately led to the uninitialized
> variable access issue reported by syzbot [1].
> 
> Adding a message length check to the arp update process eliminates
> the uninitialized issue in [1].
> 
> [1]
> BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
>  lec_arp_update net/atm/lec.c:1845 [inline]
>  lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
>  vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650
> 
> Reported-by: syzbot+5dd615f890ddada54057@...kaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@...com>

This needs a suitable fixes tag, and you should specify the target tree
into the subj prefix, see:

https://elixir.bootlin.com/linux/v6.18/source/Documentation/process/maintainer-netdev.rst#L61

> ---
>  net/atm/lec.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/net/atm/lec.c b/net/atm/lec.c
> index afb8d3eb2185..178132b2771a 100644
> --- a/net/atm/lec.c
> +++ b/net/atm/lec.c
> @@ -382,6 +382,15 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
>  			break;
>  		fallthrough;
>  	case l_arp_update:
> +	{
> +		int need_size = offsetofend(struct atmlec_msg,
> +				content.normal.targetless_le_arp);
> +		if (skb->len < need_size) {
> +			pr_info("Input msg size too small, need %d got %u\n",
> +				 need_size, skb->len);
> +			dev_kfree_skb(skb);
> +			return -EINVAL;
> +		}

Can this be reached by pppoatm_send?
Are you sure that the data will always be available in the linear part?

/P

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ