| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260114135643.17484-1-sohammetha01@gmail.com> Date: Wed, 14 Jan 2026 19:26:43 +0530 From: Soham Metha <sohammetha01@...il.com> To: linux-kernel-mentees@...ts.linuxfoundation.org Cc: shuah@...nel.org, syzbot+619b9ef527f510a57cfc@...kaller.appspotmail.com, syzkaller-bugs@...glegroups.com, andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net, eddyz87@...il.com, haoluo@...gle.com, john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org, linux-kernel@...r.kernel.org, martin.lau@...ux.dev, sdf@...ichev.me, song@...nel.org, yonghong.song@...ux.dev, Soham Metha <sohammetha01@...il.com> Subject: [PATCH] net: skbuff: fix uninitialized memory use in pskb_expand_head() pskb_expand_head() allocates a new skb data buffer using kmalloc_reserve(), which does not initialize memory. skb helpers may later copy or move padding bytes from the buffer. Initialize the newly allocated skb buffer to avoid propagating uninitialized memory. Reported-by: syzbot+619b9ef527f510a57cfc@...kaller.appspotmail.com Signed-off-by: Soham Metha <sohammetha01@...il.com> --- #syz test net/core/skbuff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index a56133902c0d..b0f0d3a0310b 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -2282,6 +2282,9 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, data = kmalloc_reserve(&size, gfp_mask, NUMA_NO_NODE, NULL); if (!data) goto nodata; + + memset(data, 0, size); + size = SKB_WITH_OVERHEAD(size); /* Copy only real data... and, alas, header. This should be -- 2.34.1
Powered by blists - more mailing lists