archive/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2025-08-15 06:01:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net/sctp
History
Exact
Xin Long fd60d8a086 sctp: linearize cloned gso packets in sctp_rcv 
A cloned head skb still shares these frag skbs in fraglist with the
original head skb. It's not safe to access these frag skbs.

syzbot reported two use-of-uninitialized-memory bugs caused by this:

  BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
   sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
   sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998
   sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
   sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331
   sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122
   __release_sock+0x1da/0x330 net/core/sock.c:3106
   release_sock+0x6b/0x250 net/core/sock.c:3660
   sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360
   sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885
   sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031
   inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851
   sock_sendmsg_nosec net/socket.c:718 [inline]

and

  BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
   sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
   sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88
   sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
   sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148
   __release_sock+0x1d3/0x330 net/core/sock.c:3213
   release_sock+0x6b/0x270 net/core/sock.c:3767
   sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367
   sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886
   sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032
   inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851
   sock_sendmsg_nosec net/socket.c:712 [inline]

This patch fixes it by linearizing cloned gso packets in sctp_rcv().

Fixes: 90017accff ("sctp: Add GSO support")
Reported-by: syzbot+773e51afe420baaf0e2b@syzkaller.appspotmail.com
Reported-by: syzbot+70a42f45e76bede082be@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/dd7dc337b99876d4132d0961f776913719f7d225.1754595611.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-08-08 13:08:06 -07:00
..
associola.c sctp: Remove unused sctp_assoc_del_peer and sctp_chunk_iif 2025-05-05 16:51:12 -07:00
auth.c sctp: delete the nested flexible array hmac 2023-04-21 08:19:30 +01:00
bind_addr.c sctp: fail if no bound addresses can be used for a given scope 2023-01-24 18:32:33 -08:00
chunk.c net: sctp: chunk.c: delete duplicated word 2020-08-24 16:21:43 -07:00
debug.c sctp: add the probe timer in transport for PLPMTUD 2021-06-22 11:28:52 -07:00
diag.c inet_diag: add module pointer to "struct inet_diag_handler" 2024-01-23 15:13:54 +01:00
endpointola.c sctp: add dif and sdif check in asoc and ep lookup 2022-11-18 11:42:54 +00:00
input.c sctp: linearize cloned gso packets in sctp_rcv 2025-08-08 13:08:06 -07:00
inqueue.c net: sctp: fix skb leak in sctp_inq_free() 2024-02-15 07:34:52 -08:00
ipv6.c net: ipv6: Add a flags argument to ip6tunnel_xmit(), udp_tunnel6_xmit_skb() 2025-06-17 18:18:45 -07:00
Kconfig sctp: use skb_crc32c() instead of __skb_checksum() 2025-05-21 15:40:16 -07:00
Makefile sctp: add fair capacity stream scheduler 2023-03-09 11:31:44 +01:00
objcnt.c
offload.c sctp: use skb_crc32c() instead of __skb_checksum() 2025-05-21 15:40:16 -07:00
output.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
outqueue.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
primitive.c
proc.c net: remove sock_i_uid() 2025-06-23 17:04:03 -07:00
protocol.c net: ipv4: Add a flags argument to iptunnel_xmit(), udp_tunnel_xmit_skb() 2025-06-17 18:18:44 -07:00
sm_make_chunk.c sctp: Remove unused sctp_assoc_del_peer and sctp_chunk_iif 2025-05-05 16:51:12 -07:00
sm_sideeffect.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
sm_statefuns.c sctp: properly validate chunk size in sctp_sf_ootb() 2024-11-03 11:03:23 -08:00
sm_statetable.c sctp: add the probe timer in transport for PLPMTUD 2021-06-22 11:28:52 -07:00
socket.c net: make sk->sk_rcvtimeo lockless 2025-06-23 17:05:12 -07:00
stream.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
stream_interleave.c sctp: delete the nested flexible array skip 2023-04-21 08:19:29 +01:00
stream_sched.c sctp: fix a potential OOB access in sctp_sched_set_sched() 2023-05-10 12:10:15 +01:00
stream_sched_fc.c sctp: add weighted fair queueing stream scheduler 2023-03-09 11:31:44 +01:00
stream_sched_prio.c sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop 2023-02-23 12:59:40 -08:00
stream_sched_rr.c sctp: delete free member from struct sctp_sched_ops 2022-12-01 20:14:23 -08:00
sysctl.c sctp: add mutual exclusion in proc_sctp_do_udp_port() 2025-04-02 16:04:19 -07:00
transport.c net: dst: annotate data-races around dst->obsolete 2025-07-02 14:32:29 -07:00
tsnmap.c net: sctp: trivial: fix typo in comment 2021-03-04 13:48:32 -08:00
ulpevent.c net: remove noblock parameter from recvmsg() entities 2022-04-12 15:00:25 +02:00
ulpqueue.c sctp: remove unnecessary NULL check in sctp_ulpq_tail_event() 2022-10-20 21:43:10 -07:00