lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID:
 <MEYPR01MB7886119A494C646719A3F77CAFA0A@MEYPR01MB7886.ausprd01.prod.outlook.com>
Date: Wed, 10 Dec 2025 10:47:33 +0800
From: Junrui Luo <moonafterrain@...look.com>
To: "David S. Miller" <davem@...emloft.net>, 
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, 
 Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, 
 Herbert Xu <herbert@...dor.apana.org.au>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, 
 Yuhao Jiang <danisjiang@...il.com>, Junrui Luo <moonafterrain@...look.com>
Subject: [PATCH net] skb_checksum_help: fix out-of-bounds access

The skb_checksum_help() function does not validate negative offset
values returned by skb_checksum_start_offset(). This can occur when
__skb_pull() is called on a packet, increasing the headroom while
leaving csum_start unchanged.

A negative offset causes out-of-bounds memory access:
- skb_checksum() reads before skb->data when computing the checksum
- skb_checksum_help() writes before skb->data

Add validation to detect and reject negative offsets.

Reported-by: Yuhao Jiang <danisjiang@...il.com>
Reported-by: Junrui Luo <moonafterrain@...look.com>
Fixes: 663ead3bb8d5 ("[NET]: Use csum_start offset instead of skb_transport_header")
Signed-off-by: Junrui Luo <moonafterrain@...look.com>
---
 net/core/dev.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/core/dev.c b/net/core/dev.c
index 9094c0fb8c68..30161b9240a2 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3574,6 +3574,11 @@ int skb_checksum_help(struct sk_buff *skb)
 
 	offset = skb_checksum_start_offset(skb);
 	ret = -EINVAL;
+	if (unlikely(offset < 0)) {
+		DO_ONCE_LITE(skb_dump, KERN_ERR, skb, false);
+		WARN_ONCE(true, "offset (%d) < 0\n", offset);
+		goto out;
+	}
 	if (unlikely(offset >= skb_headlen(skb))) {
 		DO_ONCE_LITE(skb_dump, KERN_ERR, skb, false);
 		WARN_ONCE(true, "offset (%d) >= skb_headlen() (%u)\n",

---
base-commit: cfd4039213e7b5a828c5b78e1b5235cac91af53d
change-id: 20251210-fixes-ef9fa1c91916

Best regards,
-- 
Junrui Luo <moonafterrain@...look.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ