[PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq

linux-sctp.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
@ 2025-10-23  9:52 Ranganath V N
  2025-10-23 16:56 ` Xin Long
  0 siblings, 1 reply; 4+ messages in thread
From: Ranganath V N @ 2025-10-23  9:52 UTC (permalink / raw)
  To: Marcelo Ricardo Leitner, Xin Long, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman
  Cc: linux-sctp, netdev, linux-kernel, syzkaller-bugs,
	syzbot+d101e12bccd4095460e7, Ranganath V N

Fix an issue detected by syzbot:

KMSAN reported an uninitialized-value access in sctp_inq_pop
while parsing an SCTP chunk header received frma a locally transmitted packet.

BUG: KMSAN: uninit-value in sctp_inq_pop

skb allocated in sctp_packet_transmit() contain uninitialized bytes.
sctp transmit path writes only the necessary header and chunk data,
the receive path read from uinitialized parts of the skb, triggering KMSAN.

Fix this by explicitly zeroing the skb payload area after allocation
and reservation, ensuring all future reads from this region are fully
initialized.

Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
KMSAN reported an uninitialized-value access in sctp_inq_pop
while parsing an SCTP chunk header received frma a locally transmitted packet.
---
 net/sctp/output.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/sctp/output.c b/net/sctp/output.c
index 23e96305cad7..e76413741faf 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -602,6 +602,8 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp)
 	skb_reserve(head, packet->overhead + MAX_HEADER);
 	skb_set_owner_w(head, sk);
 
+	memset(head->data, 0, skb_tailroom(head));
+
 	/* set sctp header */
 	sh = skb_push(head, sizeof(struct sctphdr));
 	skb_reset_transport_header(head);

---
base-commit: 43e9ad0c55a369ecc84a4788d06a8a6bfa634f1c
change-id: 20251023-kmsan_fix-78d527b9960b

Best regards,
-- 
Ranganath V N <vnranganath.20@gmail.com>


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
  2025-10-23  9:52 [PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop Ranganath V N
@ 2025-10-23 16:56 ` Xin Long
  2025-10-23 17:38   ` Ranganath V N
  0 siblings, 1 reply; 4+ messages in thread
From: Xin Long @ 2025-10-23 16:56 UTC (permalink / raw)
  To: Ranganath V N
  Cc: Marcelo Ricardo Leitner, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman, linux-sctp, netdev,
	linux-kernel, syzkaller-bugs, syzbot+d101e12bccd4095460e7

On Thu, Oct 23, 2025 at 5:52 AM Ranganath V N <vnranganath.20@gmail.com> wrote:
>
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
Hi, Ranganath,

The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:

        if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
                       skb_transport_offset(skb))

(TBH, I didn't expect it would allow BPF to trim skb in sk_filter().)

To handle this safely, a new check should be performed after sk_filter() like:

+       if (sk_filter(sk, skb) || skb->len < sizeof(struct sctp_chunkhdr))
                goto discard_release;

Could you please proceed with this change in sctp_rcv()?

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
  2025-10-23 16:56 ` Xin Long
@ 2025-10-23 17:38   ` Ranganath V N
  2025-10-23 17:49     ` Xin Long
  0 siblings, 1 reply; 4+ messages in thread
From: Ranganath V N @ 2025-10-23 17:38 UTC (permalink / raw)
  To: lucien.xin
  Cc: davem, edumazet, horms, kuba, linux-kernel, linux-sctp,
	marcelo.leitner, netdev, pabeni, syzbot+d101e12bccd4095460e7,
	syzkaller-bugs, vnranganath.20

Hi Xin,

Thank you for the feedback and response to the patch.
I would like to know that above analysis is valid or not.
And do you want me to test this suggestion with the syzbot?

regards,
Ranganath

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
  2025-10-23 17:38   ` Ranganath V N
@ 2025-10-23 17:49     ` Xin Long
  0 siblings, 0 replies; 4+ messages in thread
From: Xin Long @ 2025-10-23 17:49 UTC (permalink / raw)
  To: Ranganath V N
  Cc: davem, edumazet, horms, kuba, linux-kernel, linux-sctp,
	marcelo.leitner, netdev, pabeni, syzbot+d101e12bccd4095460e7,
	syzkaller-bugs

On Thu, Oct 23, 2025 at 1:38 PM Ranganath V N <vnranganath.20@gmail.com> wrote:
>
> Hi Xin,
>
> Thank you for the feedback and response to the patch.
> I would like to know that above analysis is valid or not.
> And do you want me to test this suggestion with the syzbot?
>
Yes, if it's possible.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-10-23 17:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-23  9:52 [PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop Ranganath V N
2025-10-23 16:56 ` Xin Long
2025-10-23 17:38   ` Ranganath V N
2025-10-23 17:49     ` Xin Long

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).