[syzbot] [net?] kernel BUG in set_ipsecrequest
4 views
Skip to first unread message
syzbot
Oct 17, 2025, 1:53:29 AM (4 days ago) Oct 17
to da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 48a97ffc6c82 bpf: Consistently use bpf_rcu_lock_held() eve..
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=144d0734580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f7e5e2580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ecec58580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/87ffd600eff3/disk-48a97ffc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aa84f0e32430/vmlinux-48a97ffc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/16498048e16c/bzImage-48a97ffc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
skbuff: skb_over_panic: text:ffffffff8a1fdd63 len:392 put:16 head:ffff888073664d00 data:ffff888073664d00 tail:0x188 end:0x180 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:212!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6012 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:212
Code: c7 60 10 6e 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 6e 54 f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003d5eb68 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: bc84b821dc35fd00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000180 R08: ffffc90003d5e867 R09: 1ffff920007abd0c
R10: dffffc0000000000 R11: fffff520007abd0d R12: ffff8880720b7b50
R13: ffff888073664d00 R14: ffff888073664d00 R15: 0000000000000188
FS: 000055555b9e7500(0000) GS:ffff888125e0c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555b9e7808 CR3: 000000007ead6000 CR4: 00000000003526f0
Call Trace:
<TASK>
skb_over_panic net/core/skbuff.c:217 [inline]
skb_put+0x159/0x210 net/core/skbuff.c:2583
skb_put_zero include/linux/skbuff.h:2788 [inline]
set_ipsecrequest+0x73/0x680 net/key/af_key.c:3532
pfkey_send_migrate+0x11f2/0x1de0 net/key/af_key.c:3636
km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2838
xfrm_migrate+0x2020/0x2330 net/xfrm/xfrm_policy.c:4698
xfrm_do_migrate+0x796/0x900 net/xfrm/xfrm_user.c:3144
xfrm_user_rcv_msg+0x7a3/0xab0 net/xfrm/xfrm_user.c:3501
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
xfrm_netlink_rcv+0x79/0x90 net/xfrm/xfrm_user.c:3523
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x830 net/socket.c:2630
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2719
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5fcd58eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe59dd1ab8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f5fcd7e5fa0 RCX: 00007f5fcd58eec9
RDX: 0000000000000000 RSI: 0000200000000380 RDI: 0000000000000004
RBP: 00007f5fcd611f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5fcd7e5fa0 R14: 00007f5fcd7e5fa0 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:212
Code: c7 60 10 6e 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 6e 54 f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003d5eb68 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: bc84b821dc35fd00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000180 R08: ffffc90003d5e867 R09: 1ffff920007abd0c
R10: dffffc0000000000 R11: fffff520007abd0d R12: ffff8880720b7b50
R13: ffff888073664d00 R14: ffff888073664d00 R15: 0000000000000188
FS: 000055555b9e7500(0000) GS:ffff888125e0c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555b9e7808 CR3: 000000007ead6000 CR4: 00000000003526f0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 48a97ffc6c82 bpf: Consistently use bpf_rcu_lock_held() eve..
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=144d0734580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f7e5e2580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ecec58580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/87ffd600eff3/disk-48a97ffc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aa84f0e32430/vmlinux-48a97ffc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/16498048e16c/bzImage-48a97ffc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
skbuff: skb_over_panic: text:ffffffff8a1fdd63 len:392 put:16 head:ffff888073664d00 data:ffff888073664d00 tail:0x188 end:0x180 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:212!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6012 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:212
Code: c7 60 10 6e 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 6e 54 f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003d5eb68 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: bc84b821dc35fd00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000180 R08: ffffc90003d5e867 R09: 1ffff920007abd0c
R10: dffffc0000000000 R11: fffff520007abd0d R12: ffff8880720b7b50
R13: ffff888073664d00 R14: ffff888073664d00 R15: 0000000000000188
FS: 000055555b9e7500(0000) GS:ffff888125e0c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555b9e7808 CR3: 000000007ead6000 CR4: 00000000003526f0
Call Trace:
<TASK>
skb_over_panic net/core/skbuff.c:217 [inline]
skb_put+0x159/0x210 net/core/skbuff.c:2583
skb_put_zero include/linux/skbuff.h:2788 [inline]
set_ipsecrequest+0x73/0x680 net/key/af_key.c:3532
pfkey_send_migrate+0x11f2/0x1de0 net/key/af_key.c:3636
km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2838
xfrm_migrate+0x2020/0x2330 net/xfrm/xfrm_policy.c:4698
xfrm_do_migrate+0x796/0x900 net/xfrm/xfrm_user.c:3144
xfrm_user_rcv_msg+0x7a3/0xab0 net/xfrm/xfrm_user.c:3501
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
xfrm_netlink_rcv+0x79/0x90 net/xfrm/xfrm_user.c:3523
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x830 net/socket.c:2630
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2719
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5fcd58eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe59dd1ab8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f5fcd7e5fa0 RCX: 00007f5fcd58eec9
RDX: 0000000000000000 RSI: 0000200000000380 RDI: 0000000000000004
RBP: 00007f5fcd611f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5fcd7e5fa0 R14: 00007f5fcd7e5fa0 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:212
Code: c7 60 10 6e 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 6e 54 f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90003d5eb68 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: bc84b821dc35fd00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000180 R08: ffffc90003d5e867 R09: 1ffff920007abd0c
R10: dffffc0000000000 R11: fffff520007abd0d R12: ffff8880720b7b50
R13: ffff888073664d00 R14: ffff888073664d00 R15: 0000000000000188
FS: 000055555b9e7500(0000) GS:ffff888125e0c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555b9e7808 CR3: 000000007ead6000 CR4: 00000000003526f0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 17, 2025, 6:53:06 AM (3 days ago) Oct 17
to alexand...@fb.com, chuck...@oracle.com, da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, linyu...@huawei.com, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
syzbot has bisected this issue to:
commit 14ad6ed30a10afbe91b0749d6378285f4225d482
Author: Paolo Abeni <pab...@redhat.com>
Date: Tue Feb 18 18:29:39 2025 +0000
net: allow small head cache usage with large MAX_SKB_FRAGS values
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=177a35e2580000
start commit: 48a97ffc6c82 bpf: Consistently use bpf_rcu_lock_held() eve..
git tree: bpf-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=14fa35e2580000
console output: https://syzkaller.appspot.com/x/log.txt?x=10fa35e2580000
Fixes: 14ad6ed30a10 ("net: allow small head cache usage with large MAX_SKB_FRAGS values")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 14ad6ed30a10afbe91b0749d6378285f4225d482
Author: Paolo Abeni <pab...@redhat.com>
Date: Tue Feb 18 18:29:39 2025 +0000
net: allow small head cache usage with large MAX_SKB_FRAGS values
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=177a35e2580000
start commit: 48a97ffc6c82 bpf: Consistently use bpf_rcu_lock_held() eve..
git tree: bpf-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=14fa35e2580000
console output: https://syzkaller.appspot.com/x/log.txt?x=10fa35e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f7e5e2580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ecec58580000
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ecec58580000
Fixes: 14ad6ed30a10 ("net: allow small head cache usage with large MAX_SKB_FRAGS values")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Edward Adam Davis
Oct 18, 2025, 10:34:20 PM (2 days ago) Oct 18
to syzbot+be97dd...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
When setting the extended skb data for sadb_x_ipsecrequest, the requested
extended data size exceeds the allocated skb data length, triggering the
reported bug.
Because family only supports AF_INET and AF_INET6, other values will cause
pfkey_sockaddr_fill() to fail, which in turn causes set_ipsecrequest() to
fail.
Therefore, a workaround is available here: using a family value of 0 to
resolve the issue of excessively large extended data length.
syzbot reported:
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
net/key/af_key.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..e658c129b38f 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3526,6 +3526,9 @@ static int set_ipsecrequest(struct sk_buff *skb,
int socklen = pfkey_sockaddr_len(family);
int size_req;
+ if (!family)
+ return -EINVAL;
+
size_req = sizeof(struct sadb_x_ipsecrequest) +
pfkey_sockaddr_pair_size(family);
--
2.43.0
extended data size exceeds the allocated skb data length, triggering the
reported bug.
Because family only supports AF_INET and AF_INET6, other values will cause
pfkey_sockaddr_fill() to fail, which in turn causes set_ipsecrequest() to
fail.
Therefore, a workaround is available here: using a family value of 0 to
resolve the issue of excessively large extended data length.
syzbot reported:
kernel BUG at net/core/skbuff.c:212!
Call Trace:
skb_over_panic net/core/skbuff.c:217 [inline]
skb_put+0x159/0x210 net/core/skbuff.c:2583
skb_put_zero include/linux/skbuff.h:2788 [inline]
set_ipsecrequest+0x73/0x680 net/key/af_key.c:3532
Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint address(es)")
skb_put+0x159/0x210 net/core/skbuff.c:2583
skb_put_zero include/linux/skbuff.h:2788 [inline]
set_ipsecrequest+0x73/0x680 net/key/af_key.c:3532
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
net/key/af_key.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..e658c129b38f 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3526,6 +3526,9 @@ static int set_ipsecrequest(struct sk_buff *skb,
int socklen = pfkey_sockaddr_len(family);
int size_req;
+ if (!family)
+ return -EINVAL;
+
size_req = sizeof(struct sadb_x_ipsecrequest) +
pfkey_sockaddr_pair_size(family);
--
2.43.0
syzbot
Oct 19, 2025, 2:31:04 PM (yesterday) Oct 19
to da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, ssran...@gmail.com, steffen....@secunet.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
Tested on:
commit: d9043c79 Merge tag 'sched_urgent_for_v6.18_rc2' of git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
patch: https://syzkaller.appspot.com/x/patch.diff?x=17653a14580000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
Tested on:
commit: d9043c79 Merge tag 'sched_urgent_for_v6.18_rc2' of git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler:
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
patch: https://syzkaller.appspot.com/x/patch.diff?x=17653a14580000
syzbot
Oct 19, 2025, 2:32:03 PM (yesterday) Oct 19
to da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, ssran...@gmail.com, steffen....@secunet.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
Tested on:
commit: d9043c79 Merge tag 'sched_urgent_for_v6.18_rc2' of git..
git tree: upstream
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
Tested on:
commit: d9043c79 Merge tag 'sched_urgent_for_v6.18_rc2' of git..
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=10e21492580000
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler:
syzbot
Oct 19, 2025, 2:32:04 PM (yesterday) Oct 19
to da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, ssran...@gmail.com, steffen....@secunet.com, syzkall...@googlegroups.com
syzbot
Oct 19, 2025, 10:50:04 PM (17 hours ago) Oct 19
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.
***
Subject: [PATCH] net: key: Validate address family in set_ipsecrequest()
Author: ssran...@ee.vjti.ac.in
Hi syzbot,
Please test the following patch.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
Thanks,
Shaurya Rane
From 123c5ac9ba261681b58a6217409c94722fde4249 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssran...@ee.vjti.ac.in>
Date: Sun, 19 Oct 2025 23:18:30 +0530
Subject: [PATCH] net: key: Validate address family in set_ipsecrequest()
syzbot reported a kernel BUG in set_ipsecrequest() due to an
skb_over_panic when processing XFRM_MSG_MIGRATE messages.
The root cause is that set_ipsecrequest() does not validate the
address family parameter before using it to calculate buffer sizes.
When an unsupported family value (such as 0) is passed,
pfkey_sockaddr_len() returns 0, leading to incorrect size calculations.
In pfkey_send_migrate(), the buffer size is calculated based on
pfkey_sockaddr_pair_size(), which uses pfkey_sockaddr_len(). When
family=0, this returns 0, so only sizeof(struct sadb_x_ipsecrequest)
(16 bytes) is allocated per entry. However, set_ipsecrequest() is
called multiple times in a loop (once for old_family, once for
new_family, for each migration bundle), repeatedly calling skb_put_zero()
with 16 bytes each time.
This causes the tail pointer to exceed the end pointer of the skb,
triggering skb_over_panic:
tail: 0x188 (392 bytes)
end: 0x180 (384 bytes)
Fix this by validating that pfkey_sockaddr_len() returns a non-zero
value before proceeding with buffer operations. This ensures proper
size calculations and prevents buffer overflow. Checking socklen
instead of just family==0 provides comprehensive validation for all
unsupported address families.
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of
endpoint address(es)")
Signed-off-by: Shaurya Rane <ssran...@ee.vjti.ac.in>
---
net/key/af_key.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..713344c594d4 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3526,6 +3526,10 @@ static int set_ipsecrequest(struct sk_buff *skb,
+ if (!socklen)
syzkall...@googlegroups.com.
***
Subject: [PATCH] net: key: Validate address family in set_ipsecrequest()
Author: ssran...@ee.vjti.ac.in
Hi syzbot,
Please test the following patch.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
Thanks,
Shaurya Rane
From 123c5ac9ba261681b58a6217409c94722fde4249 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssran...@ee.vjti.ac.in>
Date: Sun, 19 Oct 2025 23:18:30 +0530
Subject: [PATCH] net: key: Validate address family in set_ipsecrequest()
syzbot reported a kernel BUG in set_ipsecrequest() due to an
skb_over_panic when processing XFRM_MSG_MIGRATE messages.
The root cause is that set_ipsecrequest() does not validate the
address family parameter before using it to calculate buffer sizes.
When an unsupported family value (such as 0) is passed,
pfkey_sockaddr_len() returns 0, leading to incorrect size calculations.
In pfkey_send_migrate(), the buffer size is calculated based on
pfkey_sockaddr_pair_size(), which uses pfkey_sockaddr_len(). When
family=0, this returns 0, so only sizeof(struct sadb_x_ipsecrequest)
(16 bytes) is allocated per entry. However, set_ipsecrequest() is
called multiple times in a loop (once for old_family, once for
new_family, for each migration bundle), repeatedly calling skb_put_zero()
with 16 bytes each time.
This causes the tail pointer to exceed the end pointer of the skb,
triggering skb_over_panic:
tail: 0x188 (392 bytes)
end: 0x180 (384 bytes)
Fix this by validating that pfkey_sockaddr_len() returns a non-zero
value before proceeding with buffer operations. This ensures proper
size calculations and prevents buffer overflow. Checking socklen
instead of just family==0 provides comprehensive validation for all
unsupported address families.
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of
endpoint address(es)")
---
net/key/af_key.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..713344c594d4 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3526,6 +3526,10 @@ static int set_ipsecrequest(struct sk_buff *skb,
int socklen = pfkey_sockaddr_len(family);
int size_req;
+ /* Reject invalid/unsupported address families */
int size_req;
+ if (!socklen)
+ return -EINVAL;
+
size_req = sizeof(struct sadb_x_ipsecrequest) +
pfkey_sockaddr_pair_size(family);
--
2.34.1
+
size_req = sizeof(struct sadb_x_ipsecrequest) +
pfkey_sockaddr_pair_size(family);
--
syzbot
Oct 19, 2025, 10:52:06 PM (17 hours ago) Oct 19
to linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, ssran...@ee.vjti.ac.in, steffen....@secunet.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
Tested on:
commit: 7361c864 selftests/bpf: Fix list_del() in arena list
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
Tested on:
git tree: bpf-next
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=11031492580000
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler:
syzbot
Oct 19, 2025, 10:57:38 PM (17 hours ago) Oct 19
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [Testing] net: key: Validate address family in set_ipsecrequest()
Author: ssran...@ee.vjti.ac.in
Please test the following patch.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
Thanks,
Shaurya Rane
syzbot
Oct 19, 2025, 11:16:05 PM (16 hours ago) Oct 19
to linux-...@vger.kernel.org, ssran...@ee.vjti.ac.in, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in set_ipsecrequest
skbuff: skb_over_panic: text:ffffffff8a205d63 len:392 put:16 head:ffff88805b276a40 data:ffff88805b276a40 tail:0x188 end:0x180 dev:<NULL>
------------[ cut here ]------------
RSP: 0018:ffffc90003c06b68 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: 05b0c7e83ffe1100
R10: dffffc0000000000 R11: fffff52000780d0d R12: ffff888078c92150
R13: ffff88805b276a40 R14: ffff88805b276a40 R15: 0000000000000188
FS: 00007f2bce8166c0(0000) GS:ffff888125d0b000(0000) knlGS:0000000000000000
Call Trace:
<TASK>
RAX: ffffffffffffffda RBX: 00007f2bcdbe5fa0 RCX: 00007f2bcd98eec9
RSP: 0018:ffffc90003c06b68 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: 05b0c7e83ffe1100
R10: dffffc0000000000 R11: fffff52000780d0d R12: ffff888078c92150
R13: ffff88805b276a40 R14: ffff88805b276a40 R15: 0000000000000188
FS: 00007f2bce8166c0(0000) GS:ffff888125e0b000(0000) knlGS:0000000000000000
Tested on:
commit: 7361c864 selftests/bpf: Fix list_del() in arena list
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12e10e7c580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in set_ipsecrequest
skbuff: skb_over_panic: text:ffffffff8a205d63 len:392 put:16 head:ffff88805b276a40 data:ffff88805b276a40 tail:0x188 end:0x180 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:212!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6444 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:212
Code: c7 60 0e 6e 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 4e 50 f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:212
RSP: 0018:ffffc90003c06b68 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: 05b0c7e83ffe1100
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000180 R08: ffffc90003c06867 R09: 1ffff92000780d0c
R10: dffffc0000000000 R11: fffff52000780d0d R12: ffff888078c92150
R13: ffff88805b276a40 R14: ffff88805b276a40 R15: 0000000000000188
FS: 00007f2bce8166c0(0000) GS:ffff888125d0b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f90ed0682d0 CR3: 0000000069384000 CR4: 00000000003526f0
Call Trace:
<TASK>
skb_over_panic net/core/skbuff.c:217 [inline]
skb_put+0x159/0x210 net/core/skbuff.c:2583
skb_put_zero include/linux/skbuff.h:2788 [inline]
set_ipsecrequest+0x73/0x680 net/key/af_key.c:3532
skb_put+0x159/0x210 net/core/skbuff.c:2583
skb_put_zero include/linux/skbuff.h:2788 [inline]
set_ipsecrequest+0x73/0x680 net/key/af_key.c:3532
pfkey_send_migrate+0x11f2/0x1de0 net/key/af_key.c:3636
km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2838
xfrm_migrate+0x2020/0x2330 net/xfrm/xfrm_policy.c:4698
xfrm_do_migrate+0x796/0x900 net/xfrm/xfrm_user.c:3144
xfrm_user_rcv_msg+0x7a3/0xab0 net/xfrm/xfrm_user.c:3501
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
xfrm_netlink_rcv+0x79/0x90 net/xfrm/xfrm_user.c:3523
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x830 net/socket.c:2630
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2719
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2bcd98eec9
km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2838
xfrm_migrate+0x2020/0x2330 net/xfrm/xfrm_policy.c:4698
xfrm_do_migrate+0x796/0x900 net/xfrm/xfrm_user.c:3144
xfrm_user_rcv_msg+0x7a3/0xab0 net/xfrm/xfrm_user.c:3501
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
xfrm_netlink_rcv+0x79/0x90 net/xfrm/xfrm_user.c:3523
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x830 net/socket.c:2630
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2719
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2bce816038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f2bcdbe5fa0 RCX: 00007f2bcd98eec9
RDX: 0000000000000000 RSI: 0000200000000380 RDI: 0000000000000004
RBP: 00007f2bcda11f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2bcdbe6038 R14: 00007f2bcdbe5fa0 R15: 00007ffd8b27cbc8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:212
Code: c7 60 0e 6e 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 4e 50 f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:212
RSP: 0018:ffffc90003c06b68 EFLAGS: 00010282
RAX: 0000000000000088 RBX: dffffc0000000000 RCX: 05b0c7e83ffe1100
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000180 R08: ffffc90003c06867 R09: 1ffff92000780d0c
R10: dffffc0000000000 R11: fffff52000780d0d R12: ffff888078c92150
R13: ffff88805b276a40 R14: ffff88805b276a40 R15: 0000000000000188
FS: 00007f2bce8166c0(0000) GS:ffff888125e0b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000001f40 CR3: 0000000069384000 CR4: 00000000003526f0
Tested on:
commit: 7361c864 selftests/bpf: Fix list_del() in arena list
git tree: bpf-next
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: no patches were applied.
syzbot
2:01 AM (14 hours ago) 2:01 AM
to 15991...@qq.com, 15991...@qq.com, da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
> #syz test:
want either no args or 2 args (repo, branch), got 7
> From 2edfc8833e43cdf5ccda8bd5be3da5d1bbdc69c6 Mon Sep 17 00:00:00 2001
> From: clingfei <15991...@qq.com>
> Date: Mon, 20 Oct 2025 13:40:35 +0800
> Subject: [PATCH] fix integer overflow in set_ipsecrequest
> The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives family as uint8_t,
> causing a integer overflow and the later size_req calculation error, which ultimately triggered a
> kernel bug in skb_put.
> net/key/af_key.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/key/af_key.c b/net/key/af_key.c
> index 2ebde0352245..08f4cde01994 100644
> --- a/net/key/af_key.c
> +++ b/net/key/af_key.c
> @@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *
> - uint32_t reqid, uint8_t family,
> + uint32_t reqid, uint16_t family,
> const xfrm_address_t *src, const xfrm_address_t *dst)
> {
> struct sadb_x_ipsecrequest *rq;
> --
> 2.34.1
want either no args or 2 args (repo, branch), got 7
> From 2edfc8833e43cdf5ccda8bd5be3da5d1bbdc69c6 Mon Sep 17 00:00:00 2001
> From: clingfei <15991...@qq.com>
> Date: Mon, 20 Oct 2025 13:40:35 +0800
> Subject: [PATCH] fix integer overflow in set_ipsecrequest
> The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives family as uint8_t,
> causing a integer overflow and the later size_req calculation error, which ultimately triggered a
> kernel bug in skb_put.
>
> Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
>
> ---
> Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
>
> net/key/af_key.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/key/af_key.c b/net/key/af_key.c
> index 2ebde0352245..08f4cde01994 100644
> --- a/net/key/af_key.c
> +++ b/net/key/af_key.c
> @@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *
>
> static int set_ipsecrequest(struct sk_buff *skb,
> uint8_t proto, uint8_t mode, int level,
> static int set_ipsecrequest(struct sk_buff *skb,
> - uint32_t reqid, uint8_t family,
> + uint32_t reqid, uint16_t family,
> const xfrm_address_t *src, const xfrm_address_t *dst)
> {
> struct sadb_x_ipsecrequest *rq;
> --
> 2.34.1
syzbot
3:30 AM (12 hours ago) 3:30 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] Fix integer overflow in set_ipsecrequest()
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: clf7...@gmail.com
Hi syzbot,
Please test the following patch.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
From db24f0985600db1f88d5d2b7420f0707d67ea05a Mon Sep 17 00:00:00 2001
From: clingfei <clf7...@gmail.com>
Date: Mon, 20 Oct 2025 13:48:54 +0800
Subject: [PATCH] fix integer overflow in set_ipsecrequest()
syzbot reported a kernel BUG in set_ipsecrequest() due to an skb_over_panic.
The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives
family as uint8_t, causing a integer overflow and the later size_req calculation
kernel bug in skb_put.
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Signed-off-by: Cheng Lingfei <clf7...@gmail.com>
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
syzbot
3:36 AM (12 hours ago) 3:36 AM
to clf7...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
Tested on:
commit: 7361c864 selftests/bpf: Fix list_del() in arena list
git tree: bpf-next
commit: 7361c864 selftests/bpf: Fix list_del() in arena list
git tree: bpf-next
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=104b5de2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler:
shaurya
3:40 AM (12 hours ago) 3:40 AM
to syzbot+be97dd...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
From 123c5ac9ba261681b58a6217409c94722fde4249 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssran...@ee.vjti.ac.in>
Date: Sun, 19 Oct 2025 23:18:30 +0530
Subject: [PATCH] net: key: Validate address family in set_ipsecrequest()
syzbot reported a kernel BUG in set_ipsecrequest() due to an
skb_over_panic when processing XFRM_MSG_MIGRATE messages.
The root cause is that set_ipsecrequest() does not validate the
address family parameter before using it to calculate buffer sizes.
When an unsupported family value (such as 0) is passed,
pfkey_sockaddr_len() returns 0, leading to incorrect size calculations.
In pfkey_send_migrate(), the buffer size is calculated based on
pfkey_sockaddr_pair_size(), which uses pfkey_sockaddr_len(). When
family=0, this returns 0, so only sizeof(struct sadb_x_ipsecrequest)
(16 bytes) is allocated per entry. However, set_ipsecrequest() is
called multiple times in a loop (once for old_family, once for
new_family, for each migration bundle), repeatedly calling skb_put_zero()
with 16 bytes each time.
This causes the tail pointer to exceed the end pointer of the skb,
triggering skb_over_panic:
tail: 0x188 (392 bytes)
end: 0x180 (384 bytes)
Fix this by validating that pfkey_sockaddr_len() returns a non-zero
value before proceeding with buffer operations. This ensures proper
size calculations and prevents buffer overflow. Checking socklen
instead of just family==0 provides comprehensive validation for all
unsupported address families.
Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint address(es)")
Signed-off-by: Shaurya Rane <ssran...@ee.vjti.ac.in>
---
net/key/af_key.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..713344c594d4 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3526,6 +3526,10 @@ static int set_ipsecrequest(struct sk_buff *skb,
1599101385
3:40 AM (12 hours ago) 3:40 AM
to syzbot+be97dd...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
#syz test
From 2edfc8833e43cdf5ccda8bd5be3da5d1bbdc69c6 Mon Sep 17 00:00:00 2001
From: clingfei <15991...@qq.com>
Date: Mon, 20 Oct 2025 13:40:35 +0800
Subject: [PATCH] fix integer overflow in set_ipsecrequest
The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives family as uint8_t,
causing a integer overflow and the later size_req calculation error, which ultimately triggered a
kernel bug in skb_put.
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
---
net/key/af_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..08f4cde01994 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *
static int set_ipsecrequest(struct sk_buff *skb,
15991...@qq.com
3:40 AM (12 hours ago) 3:40 AM
to syzbot+be97dd...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
shaurya
3:40 AM (12 hours ago) 3:40 AM
to syzbot+be97dd...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
From 123c5ac9ba261681b58a6217409c94722fde4249 Mon Sep 17 00:00:00 2001
index 2ebde0352245..713344c594d4 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3526,6 +3526,10 @@ static int set_ipsecrequest(struct sk_buff *skb,
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of
endpoint address(es)")
Signed-off-by: Shaurya Rane <ssran...@ee.vjti.ac.in>
---
net/key/af_key.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
endpoint address(es)")
Signed-off-by: Shaurya Rane <ssran...@ee.vjti.ac.in>
---
net/key/af_key.c | 4 ++++
1 file changed, 4 insertions(+)
index 2ebde0352245..713344c594d4 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3526,6 +3526,10 @@ static int set_ipsecrequest(struct sk_buff *skb,
ssran...@gmail.com
3:40 AM (12 hours ago) 3:40 AM
to syzbot+be97dd...@syzkaller.appspotmail.com, da...@davemloft.net, edum...@google.com, her...@gondor.apana.org.au, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, steffen....@secunet.com, syzkall...@googlegroups.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
syzbot
3:48 AM (12 hours ago) 3:48 AM
to clf7...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
clingfei
3:48 AM (12 hours ago) 3:48 AM
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot <syzbot+be97dd...@syzkaller.appspotmail.com>
于2025年10月20日周一 15:36写道:
From: clingfei <clf7...@gmail.com>
Date: Mon, 20 Oct 2025 13:48:54 +0800
The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives
family as uint8_t, causing a integer overflow and the later size_req
calculation
index 2ebde0352245..08f4cde01994 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
于2025年10月20日周一 15:36写道:
Hi syzbot,
Please test the following patch.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
Thanks.
From 6dc2deb09faf7d53707cc9e75e175b09644fd181 Mon Sep 17 00:00:00 2001
Please test the following patch.
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master
Thanks.
From: clingfei <clf7...@gmail.com>
Date: Mon, 20 Oct 2025 13:48:54 +0800
Subject: [PATCH] fix integer overflow in set_ipsecrequest
syzbot reported a kernel BUG in set_ipsecrequest() due to an skb_over_panic.
The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives
family as uint8_t, causing a integer overflow and the later size_req
calculation
error, which exceeds the size used in alloc_skb, and ultimately triggered the
kernel bug in skb_put.
kernel bug in skb_put.
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Signed-off-by: Cheng Lingfei <clf7...@gmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
---
net/key/af_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
net/key/af_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
index 2ebde0352245..08f4cde01994 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff
*skb, const struct xfrm_kmaddress *
*skb, const struct xfrm_kmaddress *
static int set_ipsecrequest(struct sk_buff *skb,
syzbot
3:54 AM (12 hours ago) 3:54 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [net?] kernel BUG in set_ipsecrequest
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: clf7...@gmail.com
syzbot <syzbot+be97dd...@syzkaller.appspotmail.com>
于2025年10月20日周一 15:48写道:
>
> Hello,
>
> syzbot tried to test the proposed patch but the build/boot failed:
>
> failed to apply patch:
> checking file net/key/af_key.c
> patch: **** unexpected end of file in patch
>
>
>
> Tested on:
>
> commit: 7361c864 selftests/bpf: Fix list_del() in arena list
> git tree: bpf-next
> Hello,
>
> syzbot tried to test the proposed patch but the build/boot failed:
>
> failed to apply patch:
> checking file net/key/af_key.c
> patch: **** unexpected end of file in patch
>
>
>
> Tested on:
>
> commit: 7361c864 selftests/bpf: Fix list_del() in arena list
> git tree: bpf-next
> kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
> dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
> compiler:
> patch: https://syzkaller.appspot.com/x/patch.diff?x=16776b04580000
> dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
> compiler:
syzbot
3:56 AM (12 hours ago) 3:56 AM
to clf7...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
Tested on:
commit: 7361c864 selftests/bpf: Fix list_del() in arena list
git tree: bpf-next
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=122d3c58580000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/key/af_key.c
patch: **** unexpected end of file in patch
Tested on:
commit: 7361c864 selftests/bpf: Fix list_del() in arena list
git tree: bpf-next
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler:
syzbot
7:19 AM (8 hours ago) 7:19 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject:
Author: clf7...@gmail.com
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject:
syzbot
9:48 AM (6 hours ago) 9:48 AM
to clf7...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Tested-by: syzbot+be97dd...@syzkaller.appspotmail.com
Tested on:
commit: 7361c864 selftests/bpf: Fix list_del() in arena list
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1089f52f980000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+be97dd...@syzkaller.appspotmail.com
Tested-by: syzbot+be97dd...@syzkaller.appspotmail.com
Tested on:
commit: 7361c864 selftests/bpf: Fix list_del() in arena list
git tree: bpf-next
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
dashboard link: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=12bf83cd980000
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages