lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANn89iJvj8YXtuMNTh1cQOjVctBsMs88FHx-xLn+rCzyBGn-og@mail.gmail.com>
Date: Mon, 26 Jan 2026 12:22:39 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: 김강민 <km.kim1503@...il.com>
Cc: davem@...emloft.net, Jamal Hadi Salim <jhs@...atatu.com>, jiri@...nulli.us, 
	kuba@...nel.org, netdev@...r.kernel.org, pabeni@...hat.com, 
	xiyou.wangcong@...il.com, horms@...nel.org, syzkaller@...glegroups.com, 
	linux-kernel@...r.kernel.org
Subject: Re: [BUG] KASAN: slab-use-after-free Read in u32_classify

On Mon, Jan 26, 2026 at 10:51 AM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Mon, Jan 26, 2026 at 5:30 AM 김강민 <km.kim1503@...il.com> wrote:
> >
> > Apologies, I set the wrong title and KASAN report. The root cause is
> > out-of-bounds, not use-after-free. Please find the correct KASAN
> > report below.
>
> This is great, do you have a patch to fix the issue and get full
> credit on the resolution ?
>
> Thank you

Brute force patch is a bit expensive.

 I think we should instead add new helpers when the offset can be user
controlled.

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 86737076101d4a8452e90fe78adcdcfdefb79169..1ad8a3e17b995f5b934dfa21448580de4f201acd
100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4285,8 +4285,13 @@ static inline void * __must_check
 __skb_header_pointer(const struct sk_buff *skb, int offset, int len,
                     const void *data, int hlen, void *buffer)
 {
-       if (likely(hlen - offset >= len))
-               return (void *)data + offset;
+       if (likely(hlen - offset >= len)) {
+               unsigned char *ptr = (unsigned char *)data + offset;
+
+               if (skb && unlikely(ptr < skb->head))
+                       return NULL;
+               return ptr;
+       }


scripts/bloat-o-meter -t vmlinux.old vmlinux
add/remove: 2/0 grow/shrink: 56/1 up/down: 2539/-6 (2533)
Function                                     old     new   delta
__skb_flow_dissect                          7661    8315    +654
ipv6_find_hdr                               1005    1127    +122
br_multicast_rcv                            7973    8077    +104
ip_tunnel_xmit                              2635    2719     +84
__skb_header_pointer                           -      82     +82
ipv6_skip_exthdr                             428     505     +77


        if (!skb || unlikely(skb_copy_bits(skb, offset, buffer, len) < 0))
                return NULL;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ