Forwarded: Re: [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: Re: [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb
Date: Sun, 29 Mar 2026 19:37:54 -0700	[thread overview]
Message-ID: <69c9e202.a70a0220.97f31.010b.GAE@google.com> (raw)
In-Reply-To: <6954bc70.050a0220.a1b6.0310.GAE@google.com>

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb
Author: sun.jian.kdev@gmail.com

Hi syzbot,

Please test this patch.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

From 79039ad5c9cb7906225296c9a98d1c6616990fec Mon Sep 17 00:00:00 2001
From: Sun Jian <sun.jian.kdev@gmail.com>
Date: Sun, 29 Mar 2026 20:20:39 +0800
Subject: [PATCH v2] selftests/bpf: Reject malformed IPv4/IPv6 skb test input

bpf_prog_test_run_skb() derives skb->protocol from the Ethernet header
through eth_type_trans(), but it does not verify that the provided
linear input is long enough to contain the corresponding L3 base header.

This can result in an inconsistent skb being passed to test_run helpers
such as bpf_skb_adjust_room(), where inferred protocol offsets can lead
to operating on uninitialized memory, triggering KMSAN errors.

To reject such malformed test input, we check that the linear head is
sufficiently large to contain the corresponding L3 base header (IPv4
or IPv6) before running the program.

Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
---
v2:
 - Ensured that the linear head is large enough to accommodate the corresponding L3 base header (IPv4 or IPv6), before running the program.

Link: <https://lore.kernel.org/bpf/129d235b04aca276c0a57c7c3646ce48644458cdc85d9b92b25f405e2d58a9ae@mail.kernel.org/>

 net/bpf/test_run.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 178c4738e63b..4790bee535b9 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1118,6 +1118,25 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
 	skb->protocol = eth_type_trans(skb, dev);
 	skb_reset_network_header(skb);
 
+	switch (skb->protocol) {
+	case htons(ETH_P_IP):
+		if (skb_headlen(skb) < sizeof(struct iphdr)) {
+			ret = -EINVAL;
+			goto out;
+		}
+		break;
+#if IS_ENABLED(CONFIG_IPV6)
+	case htons(ETH_P_IPV6):
+		if (skb_headlen(skb) < sizeof(struct ipv6hdr)) {
+			ret = -EINVAL;
+			goto out;
+		}
+		break;
+#endif
+	default:
+		break;
+	}
+
 	switch (skb->protocol) {
 	case htons(ETH_P_IP):
 		sk->sk_family = AF_INET;

base-commit: cbfffcca2bf0622b601b7eaf477aa29035169184
-- 
2.43.0

     prev parent reply	other threads:[~2026-03-30  2:37 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-31  6:02 [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb syzbot
2026-01-02  2:20 ` Forwarded: [PATCH] net: skbuff: fix KMSAN uninit-value in pskb_expand_head() syzbot
2026-01-04  2:01 ` syzbot
2026-01-04  3:48 ` syzbot
2026-01-04  3:58 ` syzbot
2026-01-14 12:09 ` Forwarded: [PATCH] net: skbuff: fix uninitialized memory use " syzbot
2026-01-14 12:33 ` syzbot
2026-01-14 13:56 ` Soham Metha
2026-01-14 15:06   ` [syzbot] [bpf?] KMSAN: uninit-value in bpf_prog_test_run_skb syzbot
2026-01-26 11:43 ` [PATCH v2] net: skbuff: fix uninitialized memory use in pskb_expand_head() Soham Metha
2026-01-26 13:26   ` Eric Dumazet
2026-03-30  2:37 ` syzbot [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:178c4738e63 dfblob:4790bee535b )
 OR (
bs:"selftests/bpf: Reject malformed IPv4/IPv6 skb test input" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69c9e202.a70a0220.97f31.010b.GAE@google.com \
    --to=syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox