[PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
2 views
Skip to first unread message
Ranganath V N
Oct 23, 2025, 6:00:25 AM (4 days ago) Oct 23
to Marcelo Ricardo Leitner, Xin Long, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, linux...@vger.kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+d101e1...@syzkaller.appspotmail.com, Ranganath V N
Fix an issue detected by syzbot:
KMSAN reported an uninitialized-value access in sctp_inq_pop
while parsing an SCTP chunk header received frma a locally transmitted packet.
BUG: KMSAN: uninit-value in sctp_inq_pop
skb allocated in sctp_packet_transmit() contain uninitialized bytes.
sctp transmit path writes only the necessary header and chunk data,
the receive path read from uinitialized parts of the skb, triggering KMSAN.
Fix this by explicitly zeroing the skb payload area after allocation
and reservation, ensuring all future reads from this region are fully
initialized.
Reported-by: syzbot+d101e1...@syzkaller.appspotmail.com
Tested-by: syzbot+d101e1...@syzkaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Signed-off-by: Ranganath V N <vnranga...@gmail.com>
---
KMSAN reported an uninitialized-value access in sctp_inq_pop
while parsing an SCTP chunk header received frma a locally transmitted packet.
---
net/sctp/output.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 23e96305cad7..e76413741faf 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -602,6 +602,8 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp)
skb_reserve(head, packet->overhead + MAX_HEADER);
skb_set_owner_w(head, sk);
+ memset(head->data, 0, skb_tailroom(head));
+
/* set sctp header */
sh = skb_push(head, sizeof(struct sctphdr));
skb_reset_transport_header(head);
---
base-commit: 43e9ad0c55a369ecc84a4788d06a8a6bfa634f1c
change-id: 20251023-kmsan_fix-78d527b9960b
Best regards,
--
Ranganath V N <vnranga...@gmail.com>
KMSAN reported an uninitialized-value access in sctp_inq_pop
while parsing an SCTP chunk header received frma a locally transmitted packet.
BUG: KMSAN: uninit-value in sctp_inq_pop
skb allocated in sctp_packet_transmit() contain uninitialized bytes.
sctp transmit path writes only the necessary header and chunk data,
the receive path read from uinitialized parts of the skb, triggering KMSAN.
Fix this by explicitly zeroing the skb payload area after allocation
and reservation, ensuring all future reads from this region are fully
initialized.
Reported-by: syzbot+d101e1...@syzkaller.appspotmail.com
Tested-by: syzbot+d101e1...@syzkaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Signed-off-by: Ranganath V N <vnranga...@gmail.com>
---
KMSAN reported an uninitialized-value access in sctp_inq_pop
while parsing an SCTP chunk header received frma a locally transmitted packet.
---
net/sctp/output.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 23e96305cad7..e76413741faf 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -602,6 +602,8 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp)
skb_reserve(head, packet->overhead + MAX_HEADER);
skb_set_owner_w(head, sk);
+ memset(head->data, 0, skb_tailroom(head));
+
/* set sctp header */
sh = skb_push(head, sizeof(struct sctphdr));
skb_reset_transport_header(head);
---
base-commit: 43e9ad0c55a369ecc84a4788d06a8a6bfa634f1c
change-id: 20251023-kmsan_fix-78d527b9960b
Best regards,
--
Ranganath V N <vnranga...@gmail.com>
Xin Long
Oct 23, 2025, 12:56:18 PM (4 days ago) Oct 23
to Ranganath V N, Marcelo Ricardo Leitner, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, linux...@vger.kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+d101e1...@syzkaller.appspotmail.com
On Thu, Oct 23, 2025 at 5:52 AM Ranganath V N <vnranga...@gmail.com> wrote:
>
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
Hi, Ranganath,
>
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:
if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
skb_transport_offset(skb))
(TBH, I didn't expect it would allow BPF to trim skb in sk_filter().)
To handle this safely, a new check should be performed after sk_filter() like:
+ if (sk_filter(sk, skb) || skb->len < sizeof(struct sctp_chunkhdr))
goto discard_release;
Could you please proceed with this change in sctp_rcv()?
Thanks.
Xin Long
Oct 23, 2025, 1:50:11 PM (3 days ago) Oct 23
to Ranganath V N, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, marcelo...@gmail.com, net...@vger.kernel.org, pab...@redhat.com, syzbot+d101e1...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
On Thu, Oct 23, 2025 at 1:38 PM Ranganath V N <vnranga...@gmail.com> wrote:
>
> Hi Xin,
>
> Thank you for the feedback and response to the patch.
> I would like to know that above analysis is valid or not.
> And do you want me to test this suggestion with the syzbot?
>
Yes, if it's possible.
>
> Hi Xin,
>
> Thank you for the feedback and response to the patch.
> I would like to know that above analysis is valid or not.
> And do you want me to test this suggestion with the syzbot?
>
Yes, if it's possible.
Ranganath V N
Oct 23, 2025, 2:16:01 PM (3 days ago) Oct 23
to lucie...@gmail.com, da...@davemloft.net, edum...@google.com, ho...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, marcelo...@gmail.com, net...@vger.kernel.org, pab...@redhat.com, syzbot+d101e1...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, vnranga...@gmail.com
Hi Xin,
Thank you for the feedback and response to the patch.
I would like to know that above analysis is valid or not.
And do you want me to test this suggestion with the syzbot?
regards,
Thank you for the feedback and response to the patch.
I would like to know that above analysis is valid or not.
And do you want me to test this suggestion with the syzbot?
Ranganath
Ranganath V N
Oct 24, 2025, 7:44:30 AM (3 days ago) Oct 24
to Marcelo Ricardo Leitner, Xin Long, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, linux...@vger.kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+d101e1...@syzkaller.appspotmail.com, Ranganath V N
Fix an issue detected by syzbot:
KMSAN reported an uninitialized-value access in sctp_inq_pop
KMSAN reported an uninitialized-value access in sctp_inq_pop
BUG: KMSAN: uninit-value in sctp_inq_pop
The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:
if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
skb_transport_offset(skb))
To handle this safely, a new check should be performed after sk_filter().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:
if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
skb_transport_offset(skb))
Reported-by: syzbot+d101e1...@syzkaller.appspotmail.com
Tested-by: syzbot+d101e1...@syzkaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
KMSAN reported an uninitialized-value access in sctp_inq_pop
---
Changes in v2:
- changes in commit message as per the code changes.
- fixed as per the suggestion.
- Link to v1: https://lore.kernel.org/r/20251023-kmsan_fix...@gmail.com
---
net/sctp/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 7e99894778d4..e119e460ccde 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -190,7 +190,7 @@ int sctp_rcv(struct sk_buff *skb)
goto discard_release;
nf_reset_ct(skb);
- if (sk_filter(sk, skb))
+ if (sk_filter(sk, skb) || skb->len < sizeof(struct sctp_chunkhdr))
goto discard_release;
/* Create an SCTP packet structure. */
goto discard_release;
Xin Long
Oct 24, 2025, 12:02:04 PM (3 days ago) Oct 24
to Ranganath V N, Marcelo Ricardo Leitner, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, linux...@vger.kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+d101e1...@syzkaller.appspotmail.com
On Fri, Oct 24, 2025 at 7:44 AM Ranganath V N <vnranga...@gmail.com> wrote:
>
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
>
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
>
> if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
> skb_transport_offset(skb))
> To handle this safely, a new check should be performed after sk_filter().
>
> Reported-by: syzbot+d101e1...@syzkaller.appspotmail.com
> Tested-by: syzbot+d101e1...@syzkaller.appspotmail.com
> Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
> Suggested-by: Xin Long <lucie...@gmail.com>
> Signed-off-by: Ranganath V N <vnranga...@gmail.com>
Acked-by: Xin Long <lucie...@gmail.com>
>
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
>
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
>
> if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
> skb_transport_offset(skb))
> To handle this safely, a new check should be performed after sk_filter().
>
> Reported-by: syzbot+d101e1...@syzkaller.appspotmail.com
> Tested-by: syzbot+d101e1...@syzkaller.appspotmail.com
> Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
> Suggested-by: Xin Long <lucie...@gmail.com>
> Signed-off-by: Ranganath V N <vnranga...@gmail.com>
Thanks for the follow up.
Simon Horman
Oct 24, 2025, 12:39:08 PM (3 days ago) Oct 24
to Ranganath V N, Marcelo Ricardo Leitner, Xin Long, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, linux...@vger.kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+d101e1...@syzkaller.appspotmail.com
On Fri, Oct 24, 2025 at 05:14:17PM +0530, Ranganath V N wrote:
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
>
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
>
> if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
> skb_transport_offset(skb))
> To handle this safely, a new check should be performed after sk_filter().
>
> Reported-by: syzbot+d101e1...@syzkaller.appspotmail.com
> Tested-by: syzbot+d101e1...@syzkaller.appspotmail.com
> Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Hi,
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
>
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
>
> if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
> skb_transport_offset(skb))
> To handle this safely, a new check should be performed after sk_filter().
>
> Reported-by: syzbot+d101e1...@syzkaller.appspotmail.com
> Tested-by: syzbot+d101e1...@syzkaller.appspotmail.com
> Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Thanks for your patch.
Unfortunately, this is not the correct format for a fixes tag.
A fixes tag should reference the commit where the bug
was introduced into the tree. In this case, perhaps that
is the beginning of git history. If so:
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
I think the URL you provide is appropriate for a Closed tag.
Closes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
See https://docs.kernel.org/process/submitting-patches.html
> Suggested-by: Xin Long <lucie...@gmail.com>
> Signed-off-by: Ranganath V N <vnranga...@gmail.com>
> ---
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> ---
> Changes in v2:
> - changes in commit message as per the code changes.
> - fixed as per the suggestion.
> - Link to v1: https://lore.kernel.org/r/20251023-kmsan_fix...@gmail.com
Ranganath V N
Oct 26, 2025, 12:33:27 PM (13 hours ago) Oct 26
to Marcelo Ricardo Leitner, Xin Long, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, linux...@vger.kernel.org, net...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+d101e1...@syzkaller.appspotmail.com, Ranganath V N
Fix an issue detected by syzbot:
KMSAN reported an uninitialized-value access in sctp_inq_pop
BUG: KMSAN: uninit-value in sctp_inq_pop
The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:
if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
skb_transport_offset(skb))
To handle this safely, a new check should be performed after sk_filter().
Reported-by: syzbot+d101e1...@syzkaller.appspotmail.com
Tested-by: syzbot+d101e1...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
KMSAN reported an uninitialized-value access in sctp_inq_pop
BUG: KMSAN: uninit-value in sctp_inq_pop
The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:
if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
skb_transport_offset(skb))
To handle this safely, a new check should be performed after sk_filter().
Reported-by: syzbot+d101e1...@syzkaller.appspotmail.com
Tested-by: syzbot+d101e1...@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Xin Long <lucie...@gmail.com>
Signed-off-by: Ranganath V N <vnranga...@gmail.com>
---
KMSAN reported an uninitialized-value access in sctp_inq_pop
---
Changes in v3:
Signed-off-by: Ranganath V N <vnranga...@gmail.com>
---
KMSAN reported an uninitialized-value access in sctp_inq_pop
---
- fixes the patch format like fixes and closes tags.
- Link to v2: https://lore.kernel.org/r/20251024-kmsan_fix...@gmail.com
Changes in v2:
- changes in commit message as per the code changes.
- fixed as per the suggestion.
- Link to v1: https://lore.kernel.org/r/20251023-kmsan_fix...@gmail.com
Reply all
Reply to author
Forward
0 new messages