* [PATCH v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
@ 2025-10-26 16:33 Ranganath V N
2025-10-28 15:14 ` Simon Horman
2025-10-30 10:50 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Ranganath V N @ 2025-10-26 16:33 UTC (permalink / raw)
To: Marcelo Ricardo Leitner, Xin Long, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman
Cc: linux-sctp, netdev, linux-kernel, syzkaller-bugs,
syzbot+d101e12bccd4095460e7, Ranganath V N
Fix an issue detected by syzbot:
KMSAN reported an uninitialized-value access in sctp_inq_pop
BUG: KMSAN: uninit-value in sctp_inq_pop
The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:
if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
skb_transport_offset(skb))
To handle this safely, a new check should be performed after sk_filter().
Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
KMSAN reported an uninitialized-value access in sctp_inq_pop
---
Changes in v3:
- fixes the patch format like fixes and closes tags.
- Link to v2: https://lore.kernel.org/r/20251024-kmsan_fix-v2-1-dc393cfb9071@gmail.com
Changes in v2:
- changes in commit message as per the code changes.
- fixed as per the suggestion.
- Link to v1: https://lore.kernel.org/r/20251023-kmsan_fix-v1-1-d08c18db8877@gmail.com
---
net/sctp/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 7e99894778d4..e119e460ccde 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -190,7 +190,7 @@ int sctp_rcv(struct sk_buff *skb)
goto discard_release;
nf_reset_ct(skb);
- if (sk_filter(sk, skb))
+ if (sk_filter(sk, skb) || skb->len < sizeof(struct sctp_chunkhdr))
goto discard_release;
/* Create an SCTP packet structure. */
---
base-commit: 43e9ad0c55a369ecc84a4788d06a8a6bfa634f1c
change-id: 20251023-kmsan_fix-78d527b9960b
Best regards,
--
Ranganath V N <vnranganath.20@gmail.com>
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
2025-10-26 16:33 [PATCH v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop Ranganath V N
@ 2025-10-28 15:14 ` Simon Horman
2025-10-30 10:50 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Simon Horman @ 2025-10-28 15:14 UTC (permalink / raw)
To: Ranganath V N
Cc: Marcelo Ricardo Leitner, Xin Long, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, linux-sctp, netdev, linux-kernel,
syzkaller-bugs, syzbot+d101e12bccd4095460e7
On Sun, Oct 26, 2025 at 10:03:12PM +0530, Ranganath V N wrote:
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
>
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
>
> if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
> skb_transport_offset(skb))
> To handle this safely, a new check should be performed after sk_filter().
>
> Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
> Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Suggested-by: Xin Long <lucien.xin@gmail.com>
> Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
> ---
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> ---
> Changes in v3:
> - fixes the patch format like fixes and closes tags.
> - Link to v2: https://lore.kernel.org/r/20251024-kmsan_fix-v2-1-dc393cfb9071@gmail.com
Thanks for the update. This version looks good to me.
And I assume it is for net.
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
2025-10-26 16:33 [PATCH v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop Ranganath V N
2025-10-28 15:14 ` Simon Horman
@ 2025-10-30 10:50 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-10-30 10:50 UTC (permalink / raw)
To: Ranganath V N
Cc: marcelo.leitner, lucien.xin, davem, edumazet, kuba, pabeni, horms,
linux-sctp, netdev, linux-kernel, syzkaller-bugs,
syzbot+d101e12bccd4095460e7
Hello:
This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:
On Sun, 26 Oct 2025 22:03:12 +0530 you wrote:
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
>
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
>
> [...]
Here is the summary with links:
- [v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
https://git.kernel.org/netdev/net/c/51e5ad549c43
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-10-30 10:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-26 16:33 [PATCH v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop Ranganath V N
2025-10-28 15:14 ` Simon Horman
2025-10-30 10:50 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).