lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251207041453.8302-1-dharanitharan725@gmail.com>
Date: Sun,  7 Dec 2025 04:14:53 +0000
From: Dharanitharan R <dharanitharan725@...il.com>
To: syzbot+5dd615f890ddada54057@...kaller.appspotmail.com
Cc: netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Dharanitharan R <dharanitharan725@...il.com>
Subject: [PATCH] net: atm: lec: add pre_send validation to avoid uninitialized

syzbot reported a KMSAN uninitialized-value crash caused by reading
fields from struct atmlec_msg before validating that the skb contains
enough linear data. A malformed short skb can cause lec_arp_update()
and other handlers to access uninitialized memory.

Add a pre_send() validator that ensures the message header and optional
TLVs are fully present. This prevents all lec message types from reading
beyond initialized skb data.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+5dd615f890ddada54057@...kaller.appspotmail.com
Tested-by: syzbot+5dd615f890ddada54057@...kaller.appspotmail.com

Closes: https://syzkaller.appspot.com/bug?extid=5dd615f890ddada54057

Signed-off-by: Dharanitharan R <dharanitharan725@...il.com>
---
 net/atm/lec.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/net/atm/lec.c b/net/atm/lec.c
index afb8d3eb2185..c893781a490a 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -489,8 +489,33 @@ static void lec_atm_close(struct atm_vcc *vcc)
 	module_put(THIS_MODULE);
 }
 
+static int lec_atm_pre_send(struct atm_vcc *vcc, struct sk_buff *skb)
+{
+	struct atmlec_msg *mesg;
+	u32 sizeoftlvs;
+	unsigned int msg_size = sizeof(struct atmlec_msg);
+
+	/* Must contain the base message */
+	if (skb->len < msg_size)
+		return -EINVAL;
+
+   /* Must have at least msg_size bytes in linear data */
+   if (!pskb_may_pull(skb, msg_size))
+   	return -EINVAL;
+
+	mesg = (struct atmlec_msg *)skb->data;
+   sizeoftlvs = mesg->sizeoftlvs;
+
+   /* Validate TLVs if present */
+   if (sizeoftlvs && !pskb_may_pull(skb, msg_size + sizeoftlvs))
+       return -EINVAL;
+
+   return 0;
+}
+
 static const struct atmdev_ops lecdev_ops = {
 	.close = lec_atm_close,
+	.pre_send = lec_atm_pre_send, 
 	.send = lec_atm_send
 };
 
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ