lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <68f5d02e.050a0220.91a22.043e.GAE@google.com>
Date: Sun, 19 Oct 2025 23:01:18 -0700
From: syzbot <syzbot+be97dd4da14ae88b6ba4@...kaller.appspotmail.com>
To: 1599101385@...com
Cc: 1599101385@...com, davem@...emloft.net, edumazet@...gle.com, 
	herbert@...dor.apana.org.au, horms@...nel.org, kuba@...nel.org, 
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, 
	steffen.klassert@...unet.com, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] kernel BUG in set_ipsecrequest

> #syz test:

want either no args or 2 args (repo, branch), got 7

> From 2edfc8833e43cdf5ccda8bd5be3da5d1bbdc69c6 Mon Sep 17 00:00:00 2001
> From: clingfei <1599101385@...com>
> Date: Mon, 20 Oct 2025 13:40:35 +0800
> Subject: [PATCH] fix integer overflow in set_ipsecrequest
> The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives family as uint8_t, 
> causing a integer overflow and the later size_req calculation error, which ultimately triggered a 
> kernel bug in skb_put.
>
> Reported-by: syzbot+be97dd4da14ae88b6ba4@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
>
> ---
>  net/key/af_key.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/key/af_key.c b/net/key/af_key.c
> index 2ebde0352245..08f4cde01994 100644
> --- a/net/key/af_key.c
> +++ b/net/key/af_key.c
> @@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *
>
>  static int set_ipsecrequest(struct sk_buff *skb,
>                             uint8_t proto, uint8_t mode, int level,
> -                           uint32_t reqid, uint8_t family,
> +                           uint32_t reqid, uint16_t family,
>                             const xfrm_address_t *src, const xfrm_address_t *dst)
>  {
>         struct sadb_x_ipsecrequest *rq;
> --
> 2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ