lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250614202824.2182751-1-kuni1840@gmail.com>
Date: Sat, 14 Jun 2025 13:28:03 -0700
From: Kuniyuki Iwashima <kuni1840@...il.com>
To: horms@...nel.org
Cc: 3chas3@...il.com,
	davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	kuni1840@...il.com,
	kuniyu@...gle.com,
	linux-atm-general@...ts.sourceforge.net,
	netdev@...r.kernel.org,
	pabeni@...hat.com,
	syzbot+1d3c235276f62963e93a@...kaller.appspotmail.com
Subject: Re: [PATCH v1 net-next] atm: atmtcp: Free invalid length skb in atmtcp_c_send().

From: Simon Horman <horms@...nel.org>
Date: Sat, 14 Jun 2025 17:19:59 +0100
> On Thu, Jun 12, 2025 at 10:56:55PM -0700, Kuniyuki Iwashima wrote:
> > From: Kuniyuki Iwashima <kuniyu@...gle.com>
> > 
> > syzbot reported the splat below. [0]
> > 
> > vcc_sendmsg() copies data passed from userspace to skb and passes
> > it to vcc->dev->ops->send().
> > 
> > atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after
> > checking if skb->len is 0, but it's not enough.
> > 
> > Also, when skb->len == 0, skb and sk (vcc) were leaked because
> > dev_kfree_skb() is not called and atm_return() is missing to
> > revert atm_account_tx() in vcc_sendmsg().
> 
> Hi Iwashima-san,
> 
> I agree with the above and your patch.
> But I am wondering if atm_return() also needs to be called when:

Oh, I noticed atm_return() was for rmem_alloc, so I had to adjust
wmem_alloc manually here.


> 
> * atmtcp_c_send returns -ENOBUFS because atm_alloc_charge() fails.

In this case, I guess vcc->pop is atm_pop_raw() that handles wmem
accounting.

        if (vcc->pop) vcc->pop(vcc,skb);
        else dev_kfree_skb(skb);

If it's NULL, we need to adjust it here, but this pattern can be
seen other ATM drivers..

Okay, sendmsg() requires SS_CONNECTED, and __vcc_connect() must go
through one of atm_init_aal{0,34,5}, which sets ->pop to atm_pop_raw().

So, it seems !vcc->pop() is defensive unlikely path.

In v2, I'll change the invalid length handling to goto done;


> * copy_from_iter_full returns false in vcc_sendmsg.

I agree.  I can send a followup.

Thank you!

pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ