From: Jakub Kicinski <kuba@kernel.org>
To: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Tom Herbert <tom@herbertland.com>,
Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, lvc-project@linuxtesting.org,
syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com
Subject: Re: [PATCH] net: kcm: use previously opened message only once
Date: Mon, 5 Aug 2024 17:00:57 -0700 [thread overview]
Message-ID: <20240805170057.60b06b2c@kernel.org> (raw)
In-Reply-To: <20240801130833.680962-1-dmantipov@yandex.ru>
On Thu, 1 Aug 2024 16:08:33 +0300 Dmitry Antipov wrote:
> When syzkaller reproducer injects 'alloc_skb()' failure at line
> 817, 'kcm_sendmsg()' may return with partial message saved at
> 'kcm->seq_skb'. Next call of this function will try to build the
> next message starting from the saved one, but should do it only
> once. Otherwise a complete mess in skb management causes an
> undefined behavior of any kind, including UAFs reported by KASAN.
>
> Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
> Reported-by: syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b72d86aa5df17ce74c60
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
> net/kcm/kcmsock.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
> index 2f191e50d4fc..fa5ce5c88045 100644
> --- a/net/kcm/kcmsock.c
> +++ b/net/kcm/kcmsock.c
> @@ -766,6 +766,8 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
> if (kcm->seq_skb) {
> /* Previously opened message */
> head = kcm->seq_skb;
> + /* ...should be used only once */
> + kcm->seq_skb = NULL;
> skb = kcm_tx_msg(head)->last_skb;
> goto start;
> }
Not sure how much this matters but if we clear seq_skb then handling
here:
https://elixir.bootlin.com/linux/v6.10-rc4/source/net/kcm/kcmsock.c#L940
will work differently.
prev parent reply other threads:[~2024-08-06 0:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 13:08 [PATCH] net: kcm: use previously opened message only once Dmitry Antipov
2024-08-06 0:00 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240805170057.60b06b2c@kernel.org \
--to=kuba@kernel.org \
--cc=dmantipov@yandex.ru \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+b72d86aa5df17ce74c60@syzkaller.appspotmail.com \
--cc=tom@herbertland.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.