Re: [PATCH v2] net: sctp: fix KMSAN uninit-value in sctp_inq_pop

From: Xin Long
Date: Fri Oct 24 2025 - 12:03:24 EST

Next message: Koichiro Den: "Re: [RFC PATCH 00/25] NTB/PCI: Add DW eDMA intr fallback and BAR MW offsets"
Previous message: Marek Szyprowski: "Re: [PATCH v5 6/7] clocksource/drivers/exynos_mct: Add module support"
In reply to: Ranganath V N: "[PATCH v2] net: sctp: fix KMSAN uninit-value in sctp_inq_pop"
Next in thread: Simon Horman: "Re: [PATCH v2] net: sctp: fix KMSAN uninit-value in sctp_inq_pop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Oct 24, 2025 at 7:44 AM Ranganath V N <vnranganath.20@xxxxxxxxx> wrote:
>
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
>
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
>
> if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
> skb_transport_offset(skb))
> To handle this safely, a new check should be performed after sk_filter().
>
> Reported-by: syzbot+d101e12bccd4095460e7@xxxxxxxxxxxxxxxxxxxxxxxxx
> Tested-by: syzbot+d101e12bccd4095460e7@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
> Suggested-by: Xin Long <lucien.xin@xxxxxxxxx>
> Signed-off-by: Ranganath V N <vnranganath.20@xxxxxxxxx>
Acked-by: Xin Long <lucien.xin@xxxxxxxxx>

Thanks for the follow up.

Next message: Koichiro Den: "Re: [RFC PATCH 00/25] NTB/PCI: Add DW eDMA intr fallback and BAR MW offsets"
Previous message: Marek Szyprowski: "Re: [PATCH v5 6/7] clocksource/drivers/exynos_mct: Add module support"
In reply to: Ranganath V N: "[PATCH v2] net: sctp: fix KMSAN uninit-value in sctp_inq_pop"
Next in thread: Simon Horman: "Re: [PATCH v2] net: sctp: fix KMSAN uninit-value in sctp_inq_pop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]