Re: [PATCH] net: atm: targetless need more input msg

[Simon Horman <horms@kernel.org>]

Hi Edward,

Thanks for taking time to look into this issue.

On Fri, Nov 28, 2025 at 11:56:25PM +0800, Edward Adam Davis wrote:
> syzbot found an uninitialized targetless variable. The user-provided
> data was only 28 bytes long, but initializing targetless requires at
> least 44 bytes. This discrepancy ultimately led to the uninitialized
> variable access issue reported by syzbot [1].
> 
> Adding a message length check to the arp update process eliminates
> the uninitialized issue in [1].
> 
> [1]
> BUG: KMSAN: uninit-value in lec_arp_update net/atm/lec.c:1845 [inline]
>  lec_arp_update net/atm/lec.c:1845 [inline]
>  lec_atm_send+0x2b02/0x55b0 net/atm/lec.c:385
>  vcc_sendmsg+0x1052/0x1190 net/atm/common.c:650
> 
> Reported-by: syzbot+5dd615f890ddada54057@syzkaller.appspotmail.com

I think it would be useful to also include:

Closes: https://syzkaller.appspot.com/bug?extid=5dd615f890ddada54057

And as a fix for Networking code it should include a fixes tag.
Briefly examining the history of this code, using git annotate,
it seems that this problem has existed since the beginning of git history.
If so, this tag seems appropriate:

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Also, as a fix for Networking code present in the net tree,
it should be targeted at that tree, like this:

Subject: [PATCH net] ...

More information on the Networking development workflow can be found here:
https://docs.kernel.org/process/maintainer-netdev.html


> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  net/atm/lec.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/net/atm/lec.c b/net/atm/lec.c
> index afb8d3eb2185..178132b2771a 100644
> --- a/net/atm/lec.c
> +++ b/net/atm/lec.c
> @@ -382,6 +382,15 @@ static int lec_atm_send(struct atm_vcc *vcc, struct sk_buff *skb)
>  			break;
>  		fallthrough;
>  	case l_arp_update:
> +	{
> +		int need_size = offsetofend(struct atmlec_msg,
> +				content.normal.targetless_le_arp);
> +		if (skb->len < need_size) {

As per Eric's comment on a similar fix [1],
you should probably be using pskb_may_pull().

Also, I see that this patch addresses the l_arp_update case.
But it looks like a similar problem exist in least in the l_config case
too.

So I think it would be useful take a more holistic approach.
Perhaps in the form of a patchset if you want to restrict this
patch to addressing the specific problem flagged by syzbot.

[1] https://lore.kernel.org/netdev/20251126034601.236922-1-ssranevjti@gmail.com/

> +			pr_info("Input msg size too small, need %d got %u\n",
> +				 need_size, skb->len);
> +			dev_kfree_skb(skb);
> +			return -EINVAL;
> +		}
>  		lec_arp_update(priv, mesg->content.normal.mac_addr,
>  			       mesg->content.normal.atm_addr,
>  			       mesg->content.normal.flag,

-- 
pw-bot: changes-requested