Re: [syzbot] [net?] kernel BUG in set_ipsecrequest

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+be97dd4da14ae88b6ba4@syzkaller.appspotmail.com>
To: 1599101385@qq.com
Cc: 1599101385@qq.com, davem@davemloft.net, edumazet@google.com,
	 herbert@gondor.apana.org.au, horms@kernel.org, kuba@kernel.org,
	 linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	pabeni@redhat.com,  steffen.klassert@secunet.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] kernel BUG in set_ipsecrequest
Date: Sun, 19 Oct 2025 23:01:18 -0700	[thread overview]
Message-ID: <68f5d02e.050a0220.91a22.043e.GAE@google.com> (raw)
In-Reply-To: <tencent_03EA78899E616FF00CC749FE8840EA81410A@qq.com>

> #syz test:

want either no args or 2 args (repo, branch), got 7

> From 2edfc8833e43cdf5ccda8bd5be3da5d1bbdc69c6 Mon Sep 17 00:00:00 2001
> From: clingfei <1599101385@qq.com>
> Date: Mon, 20 Oct 2025 13:40:35 +0800
> Subject: [PATCH] fix integer overflow in set_ipsecrequest
> The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives family as uint8_t, 
> causing a integer overflow and the later size_req calculation error, which ultimately triggered a 
> kernel bug in skb_put.
>
> Reported-by: syzbot+be97dd4da14ae88b6ba4@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
>
> ---
>  net/key/af_key.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/key/af_key.c b/net/key/af_key.c
> index 2ebde0352245..08f4cde01994 100644
> --- a/net/key/af_key.c
> +++ b/net/key/af_key.c
> @@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *
>
>  static int set_ipsecrequest(struct sk_buff *skb,
>                             uint8_t proto, uint8_t mode, int level,
> -                           uint32_t reqid, uint8_t family,
> +                           uint32_t reqid, uint16_t family,
>                             const xfrm_address_t *src, const xfrm_address_t *dst)
>  {
>         struct sadb_x_ipsecrequest *rq;
> --
> 2.34.1

next prev parent reply	other threads:[~2025-10-20  6:01 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-20  6:00 [syzbot] [net?] kernel BUG in set_ipsecrequest 1599101385
2025-10-20  6:01 ` syzbot [this message]
  -- strict thread matches above, loose matches on Subject: below --
2025-11-06 13:56 [PATCH 3/3] net: key: Validate address family in set_ipsecrequest() clingfei
2025-11-06 14:22 ` [syzbot] [net?] kernel BUG in set_ipsecrequest syzbot
     [not found] <20251020111926.938354-1-1599101385@qq.com>
2025-10-20 13:48 ` syzbot
     [not found] <CADPKJ-7HnHKJ6RxzUcLh8NSXRq+99aim5tTvhz8j1s-TMx9saA@mail.gmail.com>
2025-10-20  7:56 ` syzbot
2025-10-20  7:30 [PATCH] Fix integer overflow in set_ipsecrequest() clingfei
2025-10-20  7:36 ` [syzbot] [net?] kernel BUG in set_ipsecrequest syzbot
2025-10-20  7:46   ` clingfei
2025-10-20  7:48     ` syzbot
2025-10-20  6:03 1599101385
     [not found] <20251020025728.15250-1-ssranevjti@gmail.com>
2025-10-20  3:16 ` syzbot
2025-10-20  2:49 [PATCH] net: key: Validate address family in set_ipsecrequest() SHAURYA RANE
2025-10-20  2:52 ` [syzbot] [net?] kernel BUG in set_ipsecrequest syzbot
     [not found] <ac912e45-9267-4c0c-b700-dd1b602ef2c0@gmail.com>
2025-10-19 18:32 ` syzbot
     [not found] <81eb1a55-dd34-43d1-93d1-33d0f24c7622@ee.vjti.ac.in>
2025-10-19 18:31 ` syzbot
2025-10-17  5:53 syzbot
2025-10-17 10:53 ` syzbot
2025-10-19 18:29 ` shaurya
2025-10-19 18:32   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=68f5d02e.050a0220.91a22.043e.GAE@google.com \
    --to=syzbot+be97dd4da14ae88b6ba4@syzkaller.appspotmail.com \
    --cc=1599101385@qq.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=steffen.klassert@secunet.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.