lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <e45ac35b-8cb3-42c0-b5dc-d4c718ee0d9d@linuxfoundation.org>
Date: Fri, 7 Nov 2025 10:54:24 -0700
From: Shuah Khan <skhan@...uxfoundation.org>
To: Jakub Kicinski <kuba@...nel.org>,
 Prithvi Tambewagh <activprithvi@...il.com>
Cc: davem@...emloft.net, edumazet@...gle.com, pabeni@...hat.com,
 horms@...nel.org, alexanderduyck@...com, chuck.lever@...cle.com,
 linyunsheng@...wei.com, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org, david.hunter.linux@...il.com,
 khalid@...nel.org, linux-kernel-mentees@...ts.linux.dev,
 syzbot+4b8a1e4690e64b018227@...kaller.appspotmail.com,
 Shuah Khan <skhan@...uxfoundation.org>
Subject: Re: [PATCH] net: core: Initialize new header to zero in
 pskb_expand_head

On 11/6/25 17:57, Jakub Kicinski wrote:
> On Fri,  7 Nov 2025 00:54:23 +0530 Prithvi Tambewagh wrote:
>> KMSAN reports uninitialized value in can_receive(). The crash trace shows
>> the uninitialized value was created in pskb_expand_head(). This function
>> expands header of a socket buffer using kmalloc_reserve() which doesn't
>> zero-initialize the memory. When old packet data is copied to the new
>> buffer at an offset of data+nhead, new header area (first nhead bytes of
>> the new buffer) are left uninitialized. This is fixed by using memset()
>> to zero-initialize this header of the new buffer.
> 
> It's caller's responsibility to initialize the skb data, please leave
> the core alone..
> 
>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
>> index 6841e61a6bd0..3486271260ac 100644
>> --- a/net/core/skbuff.c
>> +++ b/net/core/skbuff.c
>> @@ -2282,6 +2282,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
>>   	 */
>>   	memcpy(data + nhead, skb->head, skb_tail_pointer(skb) - skb->head);
>>   
>> +	memset(data, 0, size);
> 
> We just copied the data in there, and now you're zeroing it.

Prithvi,

This type of careless coding introduces serious problems. Don't
make changes to the code without understanding it. memcpy()
is right above where you added memset() which is hard to miss.

thanks,
-- Shuah

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ