lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250614161959.GR414686@horms.kernel.org>
Date: Sat, 14 Jun 2025 17:19:59 +0100
From: Simon Horman <horms@...nel.org>
To: Kuniyuki Iwashima <kuni1840@...il.com>
Cc: Chas Williams <3chas3@...il.com>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Kuniyuki Iwashima <kuniyu@...gle.com>, netdev@...r.kernel.org,
	linux-atm-general@...ts.sourceforge.net,
	syzbot+1d3c235276f62963e93a@...kaller.appspotmail.com
Subject: Re: [PATCH v1 net-next] atm: atmtcp: Free invalid length skb in
 atmtcp_c_send().

On Thu, Jun 12, 2025 at 10:56:55PM -0700, Kuniyuki Iwashima wrote:
> From: Kuniyuki Iwashima <kuniyu@...gle.com>
> 
> syzbot reported the splat below. [0]
> 
> vcc_sendmsg() copies data passed from userspace to skb and passes
> it to vcc->dev->ops->send().
> 
> atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after
> checking if skb->len is 0, but it's not enough.
> 
> Also, when skb->len == 0, skb and sk (vcc) were leaked because
> dev_kfree_skb() is not called and atm_return() is missing to
> revert atm_account_tx() in vcc_sendmsg().

Hi Iwashima-san,

I agree with the above and your patch.
But I am wondering if atm_return() also needs to be called when:

* atmtcp_c_send returns -ENOBUFS because atm_alloc_charge() fails.
* copy_from_iter_full returns false in vcc_sendmsg.

I ask because both occur after the call to atm_account_tx() in vcc_sendmsg().

> 
> Let's properly free skb with an invalid length in atmtcp_c_send().

...

> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: syzbot+1d3c235276f62963e93a@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=1d3c235276f62963e93a
> Tested-by: syzbot+1d3c235276f62963e93a@...kaller.appspotmail.com
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...gle.com>

My question above not withstanding, this looks good to me.

Reviewed-by: Simon Horman <horms@...nel.org>

...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ