[v1] net/core : fix KMSAN: uninit value in tipc_rcv

[PATCH net] net/core : fix KMSAN: uninit value in tipc_rcv

Posted by hariconscious@gmail.com 1 week, 5 days ago

From: HariKrishna Sagala <hariconscious@gmail.com>

Syzbot reported an uninit-value bug on at kmalloc_reserve for
commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of
git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")'

Syzbot KMSAN reported use of uninitialized memory originating from functions
"kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or
"kmalloc_node_track_caller()" was not explicitly initialized.
This can lead to undefined behavior when the allocated buffer
is later accessed.

Fix this by requesting the initialized memory using the gfp flag
appended with the option "__GFP_ZERO".

Reported-by: syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388
Fixes: 915d975b2ffa ("net: deal with integer overflows in
kmalloc_reserve()")
Tested-by: syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com
Signed-off-by: HariKrishna Sagala <hariconscious@gmail.com>
---
 net/core/skbuff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index ee0274417948..2308ebf99bbd 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node,
 	void *obj;
 
 	obj_size = SKB_HEAD_ALIGN(*size);
+	flags |= __GFP_ZERO;
 	if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE &&
 	    !(flags & KMALLOC_NOT_NORMAL_BITS)) {
 		obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache,
-- 
2.43.0

Re: [PATCH net] net/core : fix KMSAN: uninit value in tipc_rcv

Posted by Eric Dumazet 1 week, 5 days ago

On Fri, Sep 19, 2025 at 11:06 AM <hariconscious@gmail.com> wrote:
>
> From: HariKrishna Sagala <hariconscious@gmail.com>
>
> Syzbot reported an uninit-value bug on at kmalloc_reserve for
> commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of
> git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")'
>
> Syzbot KMSAN reported use of uninitialized memory originating from functions
> "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or
> "kmalloc_node_track_caller()" was not explicitly initialized.
> This can lead to undefined behavior when the allocated buffer
> is later accessed.
>
> Fix this by requesting the initialized memory using the gfp flag
> appended with the option "__GFP_ZERO".
>
> Reported-by: syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388
> Fixes: 915d975b2ffa ("net: deal with integer overflows in
> kmalloc_reserve()")
> Tested-by: syzbot+9a4fbb77c9d4aacd3388@syzkaller.appspotmail.com
> Signed-off-by: HariKrishna Sagala <hariconscious@gmail.com>
> ---
>  net/core/skbuff.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index ee0274417948..2308ebf99bbd 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node,
>         void *obj;
>
>         obj_size = SKB_HEAD_ALIGN(*size);
> +       flags |= __GFP_ZERO;

Certainly not.

Some of us care about performance.

Moreover, the bug will be still there for non linear skbs.

So please fix tipc.