From nobody Mon Dec 1 23:33:33 2025 Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com [209.85.216.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 25E8B1E49F for ; Wed, 26 Nov 2025 03:46:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.66 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764128774; cv=none; b=Xu1+umeILEeYxko+al4njpdT6jRX6x3PQqsdChGdIGLtJSNKUJMy9wrSGhZQOlPC9LECOxykb0WApQyEtYTeOQlz7siBLjg3SsK6qngOkBHF4Fw+vyfxWPV3d35ZmX1kgT/dj98a7lTwoSVMJHKRTfAlKcUt5q4pREZ+6flvoQg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764128774; c=relaxed/simple; bh=YTJTsaHQmUL99NvK8+4VZBxoWMvT0DJLWraueRWowDQ=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=etPan3e6WmIl+ZWcOTALil3yttslGJqCF7SsGCYbUT+mams7zvAdF/1IAAub3KCE97aTLgmF4rQ+Xjb8IuOKBfW5YAAqQcz6ElF4+pJ+9/dnFmo3P/PdF0A/9Xxkolp43sA6PTrIO993944rC0YR3XlUesGyEh+9u2BFqdqC/wM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ee.vjti.ac.in; spf=none smtp.mailfrom=ee.vjti.ac.in; dkim=pass (1024-bit key) header.d=vjti.ac.in header.i=@vjti.ac.in header.b=XHP2KBa8; arc=none smtp.client-ip=209.85.216.66 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ee.vjti.ac.in Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ee.vjti.ac.in Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=vjti.ac.in header.i=@vjti.ac.in header.b="XHP2KBa8" Received: by mail-pj1-f66.google.com with SMTP id 98e67ed59e1d1-3436d6ca17bso6157391a91.3 for ; Tue, 25 Nov 2025 19:46:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vjti.ac.in; s=google; t=1764128771; x=1764733571; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=/0OQa00OisAI9Yf2BGn0QlVHZWUx/PRSa3ljqdERpcQ=; b=XHP2KBa8J45PHqk4TG0AZi6qTrM1tPDokkLlQWViQ0+szwHvxDwNOuJE7pPI4qIr8m 6iRdvbfNZyo8iYTz7LQgd7k5LrB8hR/rBtUoLcG4VmRl/XsXXNeI2wpyqw1RwTyx449I 8E/rman10kBGMCPL6SCJZ1J91v2B1NAEaT12k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764128771; x=1764733571; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/0OQa00OisAI9Yf2BGn0QlVHZWUx/PRSa3ljqdERpcQ=; b=vwbq6LsO3/lyOeYdTFmQs+VHGui/5f/zcsroStWC9LvHyuN53RcvSqqC7PH3eTRJMv q4E/qMxVmDWBVT9qeseiFMXPPMepefoXHEnIF84aGD441xDoAb6+9jyhaeuBvEc3RM1R hgI19DOBDt8UxhSMgmKZXzM1YMOlggzLY41kLd0/UwBcHeZPiEHJdW1wRtkIKBiIaa5S qOku1qsVFeauS9lZiqyEwwCLWtJ1TUgWs4jXV8ip74OVrJ5C1133DKBMEYnQJu+GOdRx tl4WMEqET842oxudcXi0K0Ac/Ip3i0vaVyQcAlNXcXO1FlE3c4RXN6kDUiS8jBUE89JM eB/A== X-Forwarded-Encrypted: i=1; AJvYcCXsP24r3PmVX7JBToQ5sbDTgGxT/RCxH03o11WtgIo0jcvtoCj+1hqvnF93w6Ueqyi6N1uH/IT9hZXBHPs=@vger.kernel.org X-Gm-Message-State: AOJu0YwIKKphiulHjdoL7Na7I6QRMOjtBr+Vr0q+zj200S/L02MPzTue NGg8gKrvvQR4FY9nvy/g+ZrUlszydiskU2I+2l/uhDmh6ZRoQGZWdEBYIbp8qd5NlNo= X-Gm-Gg: ASbGncu13xS5yi+wCENL1drhyPHe+wWn5XuFRDEpZuVx2Ogih5wtkX/h+3PuurzjUrP EckfwWyQPdKtgRYy7OE1mikoxpU5suJ7bQpocE00NtpBwQf3Rq3+Lt3D3OmX6trB7dNiZ8XxDoV 1/1EctZ174jhBQ8uOwkUdDxTH952uwvq1z5nXTjto3KJt09lX1e3nYGhURXm5jK5ieGPnDAq2Pl KbYk83HPH7J1IpfgRycmtBOTGhcfbsTaRsYcSs3FsAy/YCtYA8o385NbeoOJyzZFN5gkRjgnGXK 0NL4UUoGk3zUaph1NEWVI6OXb9WeRW4cmb2oRgki8p+qqjnsnpHJVQz+yQonEhkkKkbkPRc02Fl apRBfT2fovsO5zOy95DEjLDVOaol4y31m8np4GisWAPt20zrV1rTdHtqLwnE8yfs/VOuZboD1sH NSp17v8CThte9DAtHnKntM/YL5RXlcV39f5udpXX1bFl+BBCs13HtzpZgW X-Google-Smtp-Source: AGHT+IGdbZpTaNhkORvuwsJtkl/0aqTP4Z+/MfLQ2cdKMWZ8EnjRZs396Kq3PBwRLHF0A7Z5HsdZeA== X-Received: by 2002:a17:90b:53c3:b0:33b:b020:597a with SMTP id 98e67ed59e1d1-34733d68a15mr15410786a91.0.1764128771454; Tue, 25 Nov 2025 19:46:11 -0800 (PST) Received: from ranegod-HP-ENVY-x360-Convertible-13-bd0xxx.. ([2405:201:31:d869:f53f:2666:7529:e5cd]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3475ea1b3e8sm1509638a91.5.2025.11.25.19.46.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 19:46:10 -0800 (PST) From: ssrane_b23@ee.vjti.ac.in X-Google-Original-From: ssranevjti@gmail.com To: socketcan@hartkopp.net Cc: mkl@pengutronix.de, jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, linux-can@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linux.dev, david.hunter.linux@gmail.com, khalid@kernel.org, Shaurya Rane , syzbot+5d8269a1e099279152bc@syzkaller.appspotmail.com Subject: [PATCH net] net/sched: em_canid: add length check before reading CAN ID Date: Wed, 26 Nov 2025 09:16:01 +0530 Message-Id: <20251126034601.236922-1-ssranevjti@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Shaurya Rane Add a check to verify that the skb has at least sizeof(canid_t) bytes before reading the CAN ID from skb->data. This prevents reading uninitialized memory when processing malformed packets that don't contain a valid CAN frame. Reported-by: syzbot+5d8269a1e099279152bc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D5d8269a1e099279152bc Fixes: f057bbb6f9ed ("net: em_canid: Ematch rule to match CAN frames accord= ing to their identifiers") Signed-off-by: Shaurya Rane --- net/sched/em_canid.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sched/em_canid.c b/net/sched/em_canid.c index 5337bc462755..a9b6cab70ff1 100644 --- a/net/sched/em_canid.c +++ b/net/sched/em_canid.c @@ -99,6 +99,9 @@ static int em_canid_match(struct sk_buff *skb, struct tcf= _ematch *m, int i; const struct can_filter *lp; =20 + if (skb->len < sizeof(canid_t)) + return 0; + can_id =3D em_canid_get_id(skb); =20 if (can_id & CAN_EFF_FLAG) { --=20 2.34.1