lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <69572b54.050a0220.a1b6.034a.GAE@google.com>
Date: Thu, 01 Jan 2026 18:20:04 -0800
From: syzbot <syzbot+619b9ef527f510a57cfc@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head()
Author: kartikey406@...il.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

When pskb_expand_head() allocates a new buffer with additional headroom
(nhead), the newly allocated headroom region is not initialized. This
uninitialized memory can later be accessed when BPF programs use
bpf_skb_adjust_room() to push headers into this space.

The call chain is:
  bpf_skb_adjust_room()
    -> bpf_skb_net_grow()
      -> skb_cow_head()
        -> pskb_expand_head()  // allocates uninit headroom
      -> bpf_skb_net_hdr_push()
        -> bpf_skb_generic_push()
          -> skb_postpush_data_move()
            -> skb_data_move()  // moves uninit memory

Fix this by zeroing the new headroom region immediately after allocation
in pskb_expand_head().

Reported-by: syzbot+619b9ef527f510a57cfc@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 net/core/skbuff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a00808f7be6a..875572a27e58 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2283,6 +2283,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
 	if (!data)
 		goto nodata;
 	size = SKB_WITH_OVERHEAD(size);
+	memset(data, 0, nhead);
 
 	/* Copy only real data... and, alas, header. This should be
 	 * optimized for the cases when header is void.
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ