From: Will Rosenberg <whrosenb@asu.edu>
To: whrosenb@asu.edu
Cc: Paul Moore <paul@paul-moore.com>,
"David S. Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>, Huw Davies <huw@codeweavers.com>,
netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: ipv4: cipso potential BUG()
Date: Mon, 19 Jan 2026 13:46:40 -0700 [thread overview]
Message-ID: <aW6YMA11KFzSkgfw@gmail.com> (raw)
Previously, it was discussed that skb_cow() has a bug due to implicit
integer casting that can lead to a BUG when headroom < -NET_SKB_PAD. We
concluded that it was not worthwhile to fix the root cause and to
instead fix the symptom found in calipso. The thread for this issue can
be found here:
https://lore.kernel.org/netdev/CAHC9VhQmR8A2vz0W-VrrhYNQ2wgCYxHbAmdgmM2yTL-uh4qiOg@mail.gmail.com/
I recently reviewed the use cases of skb_cow() throughout the kernel and
found that cipso_v4_skbuff_setattr() comes very close to triggering the
same BUG. However, I concluded this was not triggerable. Even though
len_delta can become negative, leading to a negative headroom passed to
skb_cow(), we do not satisfy the condition headroom < -NET_SKB_PAD.
Nonetheless, I believe cipso is using skb_cow() dangerously, but since
the issue is not triggerable, would it still make sense to patch it?
I figured I would throw out a quick email. Please let me know and I can
make a similar patch for cipso if necessary.
--
Will Rosenberg
next reply other threads:[~2026-01-19 20:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-19 20:46 Will Rosenberg [this message]
2026-01-19 23:31 ` ipv4: cipso potential BUG() Paul Moore
2026-01-20 15:57 ` [PATCH] cipso: harden use of skb_cow() in cipso_v4_skbuff_setattr() Will Rosenberg
2026-01-22 0:48 ` Paul Moore
2026-01-22 11:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aW6YMA11KFzSkgfw@gmail.com \
--to=whrosenb@asu.edu \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=huw@codeweavers.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.