Re: [PATCH v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop

Next message: Vishwaroop A: "[PATCH v3 0/3] spi: tegra210-quad: Improve timeout handling under high system load"
Previous message: Miguel Ojeda: "Re: [PATCH 5/7] gpu: nova-core: add extra conversion functions and traits"
In reply to: Ranganath V N: "[PATCH v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH v3] net: sctp: fix KMSAN uninit-value in sctp_inq_pop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Tue Oct 28 2025 - 11:14:34 EST

On Sun, Oct 26, 2025 at 10:03:12PM +0530, Ranganath V N wrote:
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
>
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
>
> if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
> skb_transport_offset(skb))
> To handle this safely, a new check should be performed after sk_filter().
>
> Reported-by: syzbot+d101e12bccd4095460e7@xxxxxxxxxxxxxxxxxxxxxxxxx
> Tested-by: syzbot+d101e12bccd4095460e7@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Suggested-by: Xin Long <lucien.xin@xxxxxxxxx>
> Signed-off-by: Ranganath V N <vnranganath.20@xxxxxxxxx>
> ---
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> ---
> Changes in v3:
> - fixes the patch format like fixes and closes tags.
> - Link to v2: https://lore.kernel.org/r/20251024-kmsan_fix-v2-1-dc393cfb9071@xxxxxxxxx

Thanks for the update. This version looks good to me.
And I assume it is for net.

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>