1. Patchew
  2. linux
  3. View series

[PATCH v2] net: sctp: fix KMSAN uninit-value in sctp_inq_pop

Ranganath V N posted 1 patch 3 months, 2 weeks ago
There is a newer version of this series
net/sctp/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH v2] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
Posted by Ranganath V N 3 months, 2 weeks ago 
Fix an issue detected by syzbot:

KMSAN reported an uninitialized-value access in sctp_inq_pop
BUG: KMSAN: uninit-value in sctp_inq_pop

The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:

        if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
                       skb_transport_offset(skb))
To handle this safely, a new check should be performed after sk_filter().

Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
KMSAN reported an uninitialized-value access in sctp_inq_pop
---
Changes in v2:
- changes in commit message as per the code changes.
- fixed as per the suggestion.
- Link to v1: https://lore.kernel.org/r/20251023-kmsan_fix-v1-1-d08c18db8877@gmail.com
---
 net/sctp/input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/input.c b/net/sctp/input.c
index 7e99894778d4..e119e460ccde 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -190,7 +190,7 @@ int sctp_rcv(struct sk_buff *skb)
 		goto discard_release;
 	nf_reset_ct(skb);
 
-	if (sk_filter(sk, skb))
+	if (sk_filter(sk, skb) || skb->len < sizeof(struct sctp_chunkhdr))
 		goto discard_release;
 
 	/* Create an SCTP packet structure. */

---
base-commit: 43e9ad0c55a369ecc84a4788d06a8a6bfa634f1c
change-id: 20251023-kmsan_fix-78d527b9960b

Best regards,
-- 
Ranganath V N <vnranganath.20@gmail.com>
Re: [PATCH v2] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
Posted by Simon Horman 3 months, 2 weeks ago 
On Fri, Oct 24, 2025 at 05:14:17PM +0530, Ranganath V N wrote:
> Fix an issue detected by syzbot:
> 
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
> 
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
> 
>         if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
>                        skb_transport_offset(skb))
> To handle this safely, a new check should be performed after sk_filter().
> 
> Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
> Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
> Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7

Hi,

Thanks for your patch.

Unfortunately, this is not the correct format for a fixes tag.
A fixes tag should reference the commit where the bug
was introduced into the tree. In this case, perhaps that
is the beginning of git history. If so:

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

I think the URL you provide is appropriate for a Closed tag.

Closes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7

See https://docs.kernel.org/process/submitting-patches.html

> Suggested-by: Xin Long <lucien.xin@gmail.com>
> Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
> ---
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> ---
> Changes in v2:
> - changes in commit message as per the code changes.
> - fixed as per the suggestion.
> - Link to v1: https://lore.kernel.org/r/20251023-kmsan_fix-v1-1-d08c18db8877@gmail.com

...
Re: [PATCH v2] net: sctp: fix KMSAN uninit-value in sctp_inq_pop
Posted by Xin Long 3 months, 2 weeks ago 
On Fri, Oct 24, 2025 at 7:44 AM Ranganath V N <vnranganath.20@gmail.com> wrote:
>
> Fix an issue detected by syzbot:
>
> KMSAN reported an uninitialized-value access in sctp_inq_pop
> BUG: KMSAN: uninit-value in sctp_inq_pop
>
> The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
> In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
> original check:
>
>         if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
>                        skb_transport_offset(skb))
> To handle this safely, a new check should be performed after sk_filter().
>
> Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
> Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
> Fixes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
> Suggested-by: Xin Long <lucien.xin@gmail.com>
> Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>

Thanks for the follow up.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.