ipv4: cipso potential BUG()

ipv4: cipso potential BUG()

[Will Rosenberg]

Previously, it was discussed that skb_cow() has a bug due to implicit
integer casting that can lead to a BUG when headroom < -NET_SKB_PAD. We
concluded that it was not worthwhile to fix the root cause and to
instead fix the symptom found in calipso. The thread for this issue can
be found here:

https://lore.kernel.org/netdev/CAHC9VhQmR8A2vz0W-VrrhYNQ2wgCYxHbAmdgmM2yTL-uh4qiOg@mail.gmail.com/

I recently reviewed the use cases of skb_cow() throughout the kernel and
found that cipso_v4_skbuff_setattr() comes very close to triggering the
same BUG. However, I concluded this was not triggerable. Even though
len_delta can become negative, leading to a negative headroom passed to
skb_cow(), we do not satisfy the condition headroom < -NET_SKB_PAD.

Nonetheless, I believe cipso is using skb_cow() dangerously, but since
the issue is not triggerable, would it still make sense to patch it?
I figured I would throw out a quick email. Please let me know and I can
make a similar patch for cipso if necessary.

--
Will Rosenberg

Re: ipv4: cipso potential BUG()

[Paul Moore]

On Mon, Jan 19, 2026 at 3:46 PM Will Rosenberg <whrosenb@asu.edu> wrote:
>
> Previously, it was discussed that skb_cow() has a bug due to implicit
> integer casting that can lead to a BUG when headroom < -NET_SKB_PAD. We
> concluded that it was not worthwhile to fix the root cause and to
> instead fix the symptom found in calipso. The thread for this issue can
> be found here:
>
> https://lore.kernel.org/netdev/CAHC9VhQmR8A2vz0W-VrrhYNQ2wgCYxHbAmdgmM2yTL-uh4qiOg@mail.gmail.com/
>
> I recently reviewed the use cases of skb_cow() throughout the kernel and
> found that cipso_v4_skbuff_setattr() comes very close to triggering the
> same BUG. However, I concluded this was not triggerable. Even though
> len_delta can become negative, leading to a negative headroom passed to
> skb_cow(), we do not satisfy the condition headroom < -NET_SKB_PAD.
>
> Nonetheless, I believe cipso is using skb_cow() dangerously, but since
> the issue is not triggerable, would it still make sense to patch it?
> I figured I would throw out a quick email. Please let me know and I can
> make a similar patch for cipso if necessary.

Sometimes the easiest way to get an answer to questions like this is
to send a patch; since I would expect this particular patch to be of
limited scope and very small, I think this advice holds true here.

-- 
paul-moore.com

[PATCH] cipso: harden use of skb_cow() in cipso_v4_skbuff_setattr()

[Will Rosenberg]

If skb_cow() is passed a headroom <= -NET_SKB_PAD, it will trigger a
BUG. As a result, use cases should avoid calling with a headroom that
is negative to prevent triggering this issue.

This is the same code pattern fixed in Commit 58fc7342b529 ("ipv6:
BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()").

In cipso_v4_skbuff_setattr(), len_delta can become negative, leading to
a negative headroom passed to skb_cow(). However, the BUG is not
triggerable because the condition headroom <= -NET_SKB_PAD cannot be
satisfied due to limits on the IPv4 options header size.

Avoid potential problems in the future by only using skb_cow() to grow
the skb headroom.

Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
---

Notes:
    Given that IPv4 option length should not change,
    this may not be a worthwhile patch.
    
    Apologies in advance if this ends up being a waste
    of time.

 net/ipv4/cipso_ipv4.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 709021197e1c..32b951ebc0c2 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -2196,7 +2196,8 @@ int cipso_v4_skbuff_setattr(struct sk_buff *skb,
 	/* if we don't ensure enough headroom we could panic on the skb_push()
 	 * call below so make sure we have enough, we are also "mangling" the
 	 * packet so we should probably do a copy-on-write call anyway */
-	ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
+	ret_val = skb_cow(skb,
+			  skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
 	if (ret_val < 0)
 		return ret_val;
 

base-commit: 58bae918d73e3b6cd57d1e39fcf7c75c7dd1a8fe
-- 
2.34.1

Re: [PATCH] cipso: harden use of skb_cow() in cipso_v4_skbuff_setattr()

[Paul Moore]

On Tue, Jan 20, 2026 at 10:57 AM Will Rosenberg <whrosenb@asu.edu> wrote:
>
> If skb_cow() is passed a headroom <= -NET_SKB_PAD, it will trigger a
> BUG. As a result, use cases should avoid calling with a headroom that
> is negative to prevent triggering this issue.
>
> This is the same code pattern fixed in Commit 58fc7342b529 ("ipv6:
> BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()").
>
> In cipso_v4_skbuff_setattr(), len_delta can become negative, leading to
> a negative headroom passed to skb_cow(). However, the BUG is not
> triggerable because the condition headroom <= -NET_SKB_PAD cannot be
> satisfied due to limits on the IPv4 options header size.
>
> Avoid potential problems in the future by only using skb_cow() to grow
> the skb headroom.
>
> Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
> ---
>
> Notes:
>     Given that IPv4 option length should not change,
>     this may not be a worthwhile patch.
>
>     Apologies in advance if this ends up being a waste
>     of time.
>
>  net/ipv4/cipso_ipv4.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

I think it's a reasonable thing to do in an effort to avoid future
problems.  Thanks Will.

Acked-by: Paul Moore <paul@paul-moore.com>

> diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
> index 709021197e1c..32b951ebc0c2 100644
> --- a/net/ipv4/cipso_ipv4.c
> +++ b/net/ipv4/cipso_ipv4.c
> @@ -2196,7 +2196,8 @@ int cipso_v4_skbuff_setattr(struct sk_buff *skb,
>         /* if we don't ensure enough headroom we could panic on the skb_push()
>          * call below so make sure we have enough, we are also "mangling" the
>          * packet so we should probably do a copy-on-write call anyway */
> -       ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
> +       ret_val = skb_cow(skb,
> +                         skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
>         if (ret_val < 0)
>                 return ret_val;
>
>
> base-commit: 58bae918d73e3b6cd57d1e39fcf7c75c7dd1a8fe
> --
> 2.34.1

-- 
paul-moore.com

Re: [PATCH] cipso: harden use of skb_cow() in cipso_v4_skbuff_setattr()

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net-next.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Tue, 20 Jan 2026 08:57:38 -0700 you wrote:
> If skb_cow() is passed a headroom <= -NET_SKB_PAD, it will trigger a
> BUG. As a result, use cases should avoid calling with a headroom that
> is negative to prevent triggering this issue.
> 
> This is the same code pattern fixed in Commit 58fc7342b529 ("ipv6:
> BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()").
> 
> [...]

Here is the summary with links:
  - cipso: harden use of skb_cow() in cipso_v4_skbuff_setattr()
    https://git.kernel.org/netdev/net-next/c/40cb4cb77ea2

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html