lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <tencent_B31D1B432549BA28BB5633CB9E2C1B124B08@qq.com>
Date: Fri, 28 Nov 2025 23:56:25 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+5dd615f890ddada54057@...kaller.appspotmail.com
Cc: davem@...emloft.net,
	edumazet@...gle.com,
	horms@...nel.org,
	kuba@...nel.org,
	linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org,
	pabeni@...hat.com,
	syzkaller-bugs@...glegroups.com
Subject: [PATCH] net: atm: targetless need more input msg

syzbot found an uninitialized targetless variable. The user-provided
data was only 28 bytes long, but initializing targetless requires at
least 44 bytes. This discrepancy ultimately led to the uninitialized
variable access issue reported by syzbot [1].

Adding a message length check to the arp update process eliminates
the uninitialized issue in [1].

[1]
BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
 lec_arp_update net/atm/lec.c:1845 [inline]
 lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
 vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650

Reported-by: syzbot+5dd615f890ddada54057@...kaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
 net/atm/lec.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/atm/lec.c b/net/atm/lec.c
index afb8d3eb2185..178132b2771a 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -382,6 +382,15 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
 			break;
 		fallthrough;
 	case l_arp_update:
+	{
+		int need_size = offsetofend(struct atmlec_msg,
+				content.normal.targetless_le_arp);
+		if (skb->len < need_size) {
+			pr_info("Input msg size too small, need %d got %u\n",
+				 need_size, skb->len);
+			dev_kfree_skb(skb);
+			return -EINVAL;
+		}
 		lec_arp_update(priv, mesg->content.normal.mac_addr,
 			       mesg->content.normal.atm_addr,
 			       mesg->content.normal.flag,
@@ -394,6 +403,7 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
 					    tmp, mesg->sizeoftlvs);
 		}
 		break;
+	}
 	case l_config:
 		priv->maximum_unknown_frame_count =
 		    mesg->content.config.maximum_unknown_frame_count;
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ