From: Steffen Klassert <steffen.klassert@secunet.com>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>, <netdev@vger.kernel.org>,
<eric.dumazet@gmail.com>,
<syzbot+b518dfc8e021988fbd55@syzkaller.appspotmail.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH net] af_key: validate families in pfkey_send_migrate()
Date: Tue, 17 Mar 2026 11:42:36 +0100 [thread overview]
Message-ID: <abkwHKnsm-AWwinP@secunet.com> (raw)
In-Reply-To: <20260314170210.4039941-1-edumazet@google.com>
On Sat, Mar 14, 2026 at 05:02:10PM +0000, Eric Dumazet wrote:
> syzbot was able to trigger a crash in skb_put() [1]
>
> Issue is that pfkey_send_migrate() does not check old/new families,
> and that set_ipsecrequest() @family argument was truncated,
> thus possibly overfilling the skb.
>
> Validate families early, do not wait set_ipsecrequest().
>
> [1]
>
> skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL>
> kernel BUG at net/core/skbuff.c:214 !
> Call Trace:
> <TASK>
> skb_over_panic net/core/skbuff.c:219 [inline]
> skb_put+0x159/0x210 net/core/skbuff.c:2655
> skb_put_zero include/linux/skbuff.h:2788 [inline]
> set_ipsecrequest net/key/af_key.c:3532 [inline]
> pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636
> km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848
> xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705
> xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150
>
> Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint address(es)")
> Reported-by: syzbot+b518dfc8e021988fbd55@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/69b5933c.050a0220.248e02.00f2.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Steffen Klassert <steffen.klassert@secunet.com>
> Cc: Herbert Xu <herbert@gondor.apana.org.au>
Applied to the ipsec tree, thanks a lot Eric!
prev parent reply other threads:[~2026-03-17 10:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-14 17:02 [PATCH net] af_key: validate families in pfkey_send_migrate() Eric Dumazet
2026-03-17 10:42 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abkwHKnsm-AWwinP@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+b518dfc8e021988fbd55@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.