| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8734ahcndl.fsf@posteo.net> Date: Sun, 27 Jul 2025 21:52:41 +0000 From: Charalampos Mitrodimas <charmitro@...teo.net> To: Steffen Klassert <steffen.klassert@...unet.com> Cc: Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, syzbot+01b0667934cdceb4451c@...kaller.appspotmail.com Subject: Re: [PATCH net] net: ipv6: fix buffer overflow in AH output Charalampos Mitrodimas <charmitro@...teo.net> writes: > Fix a buffer overflow where extension headers are incorrectly copied > to the IPv6 address fields, resulting in a field-spanning write of up > to 40 bytes into a 16-byte field (IPv6 address). > > memcpy: detected field-spanning write (size 40) of single field "&top_iph->saddr" at net/ipv6/ah6.c:439 (size 16) > WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 > > The issue occurs in ah6_output() and ah6_output_done() where the code > attempts to save/restore extension headers by copying them to/from the > IPv6 source/destination address fields based on the CONFIG_IPV6_MIP6 > setting. > > Reported-by: syzbot+01b0667934cdceb4451c@...kaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=b4169a1cfb945d2ed0ec Oops, wrong syzbot dashboard link. v2 is sent. C. Mitrodimas
Powered by blists - more mailing lists