Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)

From: Ranganath V N
Date: Fri Oct 24 2025 - 02:34:21 EST

Next message: Miaohe Lin: "Re: [PATCH v3 1/3] mm: handle poisoning of pfn without struct pages"
Previous message: Boris Brezillon: "Re: [PATCH v2] drm/panthor: Fix UAF race between device unplug and FW event processing"
Next in thread: syzbot: "Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz test

On Thu, Oct 23, 2025 at 11:30 PM syzbot <syzbot+d101e12bccd4095460e7@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file net/sctp/input.c
patch: **** unexpected end of file in patch

Tested on:

commit: ab431bc3 Merge tag 'net-6.18-rc3' of git://git.kernel...
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=bbd3e7f3c2e28265
dashboard link: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=12cec3e2580000

--
You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/68fa6d24.a70a0220.3bf6c6.007f.GAE%40google.com.

From b1298215f873c1e98850ee13a312f422f15f13ff Mon Sep 17 00:00:00 2001
From: Ranganath V N <vnranganath.20@xxxxxxxxx>
Date: Thu, 23 Oct 2025 15:14:20 +0530
Subject: [PATCH] net: sctp: fix KMSAN uninit-value in sctp_inq_pop

Fix an issue detected by syzbot:

KMSAN reported an uninitialized-value access in sctp_inq_pop
while parsing an SCTP chunk header received frma a locally transmitted packet.

BUG: KMSAN: uninit-value in sctp_inq_pop

skb allocated in sctp_packet_transmit() contain uninitialized bytes.
sctp transmit path writes only the necessary header and chunk data,
the receive path read from uinitialized parts of the skb, triggering KMSAN.

Fix this by explicitly zeroing the skb payload area after allocation
and reservation, ensuring all future reads from this region are fully
initialized.

Reported-by: syzbot+d101e12bccd4095460e7@xxxxxxxxxxxxxxxxxxxxxxxxx
Tested-by: syzbot+d101e12bccd4095460e7@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Signed-off-by: Ranganath V N <vnranganath.20@xxxxxxxxx>
---
net/sctp/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/input.c b/net/sctp/input.c
index 7e99894778d4..e119e460ccde 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -190,7 +190,7 @@ int sctp_rcv(struct sk_buff *skb)
goto discard_release;
nf_reset_ct(skb);

- if (sk_filter(sk, skb))
+ if (sk_filter(sk, skb) || skb->len < sizeof(struct sctp_chunkhdr))
goto discard_release;

/* Create an SCTP packet structure. */
--
2.43.0

Next message: Miaohe Lin: "Re: [PATCH v3 1/3] mm: handle poisoning of pfn without struct pages"
Previous message: Boris Brezillon: "Re: [PATCH v2] drm/panthor: Fix UAF race between device unplug and FW event processing"
Next in thread: syzbot: "Re: [syzbot] [sctp?] KMSAN: uninit-value in sctp_inq_pop (3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]