net/core/flow_dissector.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
When dissecting FLOW_DISSECTOR_KEY_ETH_ADDRS, the code unconditionally
copies sizeof(flow_dissector_key_eth_addrs) (12 bytes) from eth_hdr(skb).
However, if the packet is too short (e.g., a 1-byte packet sent via
AF_PACKET on a TUN device), eth_hdr(skb) points to uninitialized skb
memory beyond the actual packet data.
This causes KMSAN to report uninit-value in __fl_lookup() when the
uninitialized eth addresses are used as rhashtable lookup key in
cls_flower.
Fix by checking that sufficient data exists from mac_header to skb tail
before copying. If not enough data, zero the key to ensure deterministic
behavior (no false matches).
Reported-by: syzbot+fa2f5b1fb06147be5e16@syzkaller.appspotmail.com
Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
---
net/core/flow_dissector.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 2a98f5fa74eb..d5817b800079 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1173,13 +1173,19 @@ bool __skb_flow_dissect(const struct net *net,
if (dissector_uses_key(flow_dissector,
FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
- struct ethhdr *eth = eth_hdr(skb);
struct flow_dissector_key_eth_addrs *key_eth_addrs;
key_eth_addrs = skb_flow_dissector_target(flow_dissector,
FLOW_DISSECTOR_KEY_ETH_ADDRS,
target_container);
- memcpy(key_eth_addrs, eth, sizeof(*key_eth_addrs));
+ /* Ensure the skb has enough data at mac_header to cover
+ * both src and dst Ethernet addresses.
+ */
+ if (skb_mac_header_was_set(skb) &&
+ skb_tail_pointer(skb) - skb_mac_header(skb) >= sizeof(*key_eth_addrs))
+ memcpy(key_eth_addrs, eth_hdr(skb), sizeof(*key_eth_addrs));
+ else
+ memset(key_eth_addrs, 0, sizeof(*key_eth_addrs));
}
if (dissector_uses_key(flow_dissector,
--
2.43.0
On 6/3/26 11:08, Yun Zhou wrote:
> When dissecting FLOW_DISSECTOR_KEY_ETH_ADDRS, the code unconditionally
> copies sizeof(flow_dissector_key_eth_addrs) (12 bytes) from eth_hdr(skb).
> However, if the packet is too short (e.g., a 1-byte packet sent via
> AF_PACKET on a TUN device), eth_hdr(skb) points to uninitialized skb
> memory beyond the actual packet data.
>
> This causes KMSAN to report uninit-value in __fl_lookup() when the
> uninitialized eth addresses are used as rhashtable lookup key in
> cls_flower.
>
> Fix by checking that sufficient data exists from mac_header to skb tail
> before copying. If not enough data, zero the key to ensure deterministic
> behavior (no false matches).
>
> Reported-by: syzbot+fa2f5b1fb06147be5e16@syzkaller.appspotmail.com
> Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
> Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
> ---
> net/core/flow_dissector.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> index 2a98f5fa74eb..d5817b800079 100644
> --- a/net/core/flow_dissector.c
> +++ b/net/core/flow_dissector.c
> @@ -1173,13 +1173,19 @@ bool __skb_flow_dissect(const struct net *net,
>
> if (dissector_uses_key(flow_dissector,
> FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
> - struct ethhdr *eth = eth_hdr(skb);
> struct flow_dissector_key_eth_addrs *key_eth_addrs;
>
> key_eth_addrs = skb_flow_dissector_target(flow_dissector,
> FLOW_DISSECTOR_KEY_ETH_ADDRS,
> target_container);
> - memcpy(key_eth_addrs, eth, sizeof(*key_eth_addrs));
> + /* Ensure the skb has enough data at mac_header to cover
> + * both src and dst Ethernet addresses.
> + */
> + if (skb_mac_header_was_set(skb) &&
> + skb_tail_pointer(skb) - skb_mac_header(skb) >= sizeof(*key_eth_addrs))
> + memcpy(key_eth_addrs, eth_hdr(skb), sizeof(*key_eth_addrs));
> + else
> + memset(key_eth_addrs, 0, sizeof(*key_eth_addrs));
> }
>
> if (dissector_uses_key(flow_dissector,
Hi Jakub,
What is your opinion on this fix method?
On Tue, Jun 2, 2026 at 8:08 PM Yun Zhou <yun.zhou@windriver.com> wrote:
>
> When dissecting FLOW_DISSECTOR_KEY_ETH_ADDRS, the code unconditionally
> copies sizeof(flow_dissector_key_eth_addrs) (12 bytes) from eth_hdr(skb).
> However, if the packet is too short (e.g., a 1-byte packet sent via
> AF_PACKET on a TUN device), eth_hdr(skb) points to uninitialized skb
> memory beyond the actual packet data.
>
> This causes KMSAN to report uninit-value in __fl_lookup() when the
> uninitialized eth addresses are used as rhashtable lookup key in
> cls_flower.
>
> Fix by checking that sufficient data exists from mac_header to skb tail
> before copying. If not enough data, zero the key to ensure deterministic
> behavior (no false matches).
>
> Reported-by: syzbot+fa2f5b1fb06147be5e16@syzkaller.appspotmail.com
Please add a Closes: tag
I found some not relevant syzbot report :
https://lore.kernel.org/netdev/6a196faf.c16d89a8.217f2c.0002.GAE@google.com/
> Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
> Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
> ---
> net/core/flow_dissector.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> index 2a98f5fa74eb..d5817b800079 100644
> --- a/net/core/flow_dissector.c
> +++ b/net/core/flow_dissector.c
> @@ -1173,13 +1173,19 @@ bool __skb_flow_dissect(const struct net *net,
>
> if (dissector_uses_key(flow_dissector,
> FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
> - struct ethhdr *eth = eth_hdr(skb);
> struct flow_dissector_key_eth_addrs *key_eth_addrs;
>
> key_eth_addrs = skb_flow_dissector_target(flow_dissector,
> FLOW_DISSECTOR_KEY_ETH_ADDRS,
> target_container);
> - memcpy(key_eth_addrs, eth, sizeof(*key_eth_addrs));
> + /* Ensure the skb has enough data at mac_header to cover
> + * both src and dst Ethernet addresses.
> + */
> + if (skb_mac_header_was_set(skb) &&
> + skb_tail_pointer(skb) - skb_mac_header(skb) >= sizeof(*key_eth_addrs))
> + memcpy(key_eth_addrs, eth_hdr(skb), sizeof(*key_eth_addrs));
> + else
> + memset(key_eth_addrs, 0, sizeof(*key_eth_addrs));
> }
Can you show us a stack trace, why mac_header would not be set at this point?
On 6/3/26 13:44, Eric Dumazet wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Tue, Jun 2, 2026 at 8:08 PM Yun Zhou <yun.zhou@windriver.com> wrote:
> Please add a Closes: tag
I will add a Closes link in v2.
Closes: https://syzkaller.appspot.com/bug?extid=fa2f5b1fb06147be5e16
>
> I found some not relevant syzbot report :
>
> https://lore.kernel.org/netdev/6a196faf.c16d89a8.217f2c.0002.GAE@google.com/
This should be the same issue. And it can be reproduced by
https://syzkaller.appspot.com/text?tag=ReproC&x=12924152580000
>
>> Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
>> Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
>> ---
>> net/core/flow_dissector.c | 10 ++++++++--
>> 1 file changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
>> index 2a98f5fa74eb..d5817b800079 100644
>> --- a/net/core/flow_dissector.c
>> +++ b/net/core/flow_dissector.c
>> @@ -1173,13 +1173,19 @@ bool __skb_flow_dissect(const struct net *net,
>>
>> if (dissector_uses_key(flow_dissector,
>> FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
>> - struct ethhdr *eth = eth_hdr(skb);
>> struct flow_dissector_key_eth_addrs *key_eth_addrs;
>>
>> key_eth_addrs = skb_flow_dissector_target(flow_dissector,
>> FLOW_DISSECTOR_KEY_ETH_ADDRS,
>> target_container);
>> - memcpy(key_eth_addrs, eth, sizeof(*key_eth_addrs));
>> + /* Ensure the skb has enough data at mac_header to cover
>> + * both src and dst Ethernet addresses.
>> + */
>> + if (skb_mac_header_was_set(skb) &&
>> + skb_tail_pointer(skb) - skb_mac_header(skb) >= sizeof(*key_eth_addrs))
>> + memcpy(key_eth_addrs, eth_hdr(skb), sizeof(*key_eth_addrs));
>> + else
>> + memset(key_eth_addrs, 0, sizeof(*key_eth_addrs));
>> }
> Can you show us a stack trace, why mac_header would not be set at this point?
It seems that there is no need to call skb_mac_header_was_set(skb).
On Wed, Jun 3, 2026 at 1:16 AM Zhou, Yun <yun.zhou@windriver.com> wrote:
>
>
>
> On 6/3/26 13:44, Eric Dumazet wrote:
> > CAUTION: This email comes from a non Wind River email account!
> > Do not click links or open attachments unless you recognize the sender and know the content is safe.
> >
> > On Tue, Jun 2, 2026 at 8:08 PM Yun Zhou <yun.zhou@windriver.com> wrote:
> > Please add a Closes: tag
> I will add a Closes link in v2.
> Closes: https://syzkaller.appspot.com/bug?extid=fa2f5b1fb06147be5e16
> >
> > I found some not relevant syzbot report :
> >
> > https://lore.kernel.org/netdev/6a196faf.c16d89a8.217f2c.0002.GAE@google.com/
> This should be the same issue. And it can be reproduced by
> https://syzkaller.appspot.com/text?tag=ReproC&x=12924152580000
Please investigate which device allowed to send an Ethernet packet
smaller than the ethernet header.
We do not want to add tests all over the places, we should fix the origin.
Look for dev->min_header_len
Thanks.
> >
> >> Fixes: 67a900cc0436 ("flow_dissector: introduce support for Ethernet addresses")
> >> Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
> >> ---
> >> net/core/flow_dissector.c | 10 ++++++++--
> >> 1 file changed, 8 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> >> index 2a98f5fa74eb..d5817b800079 100644
> >> --- a/net/core/flow_dissector.c
> >> +++ b/net/core/flow_dissector.c
> >> @@ -1173,13 +1173,19 @@ bool __skb_flow_dissect(const struct net *net,
> >>
> >> if (dissector_uses_key(flow_dissector,
> >> FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
> >> - struct ethhdr *eth = eth_hdr(skb);
> >> struct flow_dissector_key_eth_addrs *key_eth_addrs;
> >>
> >> key_eth_addrs = skb_flow_dissector_target(flow_dissector,
> >> FLOW_DISSECTOR_KEY_ETH_ADDRS,
> >> target_container);
> >> - memcpy(key_eth_addrs, eth, sizeof(*key_eth_addrs));
> >> + /* Ensure the skb has enough data at mac_header to cover
> >> + * both src and dst Ethernet addresses.
> >> + */
> >> + if (skb_mac_header_was_set(skb) &&
> >> + skb_tail_pointer(skb) - skb_mac_header(skb) >= sizeof(*key_eth_addrs))
> >> + memcpy(key_eth_addrs, eth_hdr(skb), sizeof(*key_eth_addrs));
> >> + else
> >> + memset(key_eth_addrs, 0, sizeof(*key_eth_addrs));
> >> }
> > Can you show us a stack trace, why mac_header would not be set at this point?
> It seems that there is no need to call skb_mac_header_was_set(skb).
On 6/3/26 4:33 PM, Eric Dumazet wrote: > On Wed, Jun 3, 2026 at 1:16 AM Zhou, Yun <yun.zhou@windriver.com> wrote: >> >> >> On 6/3/26 13:44, Eric Dumazet wrote: >>> CAUTION: This email comes from a non Wind River email account! >>> Do not click links or open attachments unless you recognize the sender and know the content is safe. >>> >>> On Tue, Jun 2, 2026 at 8:08 PM Yun Zhou <yun.zhou@windriver.com> wrote: >>> Please add a Closes: tag >> I will add a Closes link in v2. >> Closes: https://syzkaller.appspot.com/bug?extid=fa2f5b1fb06147be5e16 >>> I found some not relevant syzbot report : >>> >>> https://lore.kernel.org/netdev/6a196faf.c16d89a8.217f2c.0002.GAE@google.com/ >> This should be the same issue. And it can be reproduced by >> https://syzkaller.appspot.com/text?tag=ReproC&x=12924152580000 > Please investigate which device allowed to send an Ethernet packet > smaller than the ethernet header. > > We do not want to add tests all over the places, we should fix the origin. > > Look for dev->min_header_len > > Thanks. It's TUN. I think we should reject loading "tc filter ... flower eth_dst aa:bb:cc:dd:ee:ff ... " if dev->hard_header_len < sizeof(flow_dissector_key_eth_addrs)
On 6/3/26 16:54, Jiayuan Chen wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender > and know the content is safe. > > On 6/3/26 4:33 PM, Eric Dumazet wrote: >> On Wed, Jun 3, 2026 at 1:16 AM Zhou, Yun <yun.zhou@windriver.com> wrote: >>> >>> >>> On 6/3/26 13:44, Eric Dumazet wrote: >>>> CAUTION: This email comes from a non Wind River email account! >>>> Do not click links or open attachments unless you recognize the >>>> sender and know the content is safe. >>>> >>>> On Tue, Jun 2, 2026 at 8:08 PM Yun Zhou <yun.zhou@windriver.com> >>>> wrote: >>>> Please add a Closes: tag >>> I will add a Closes link in v2. >>> Closes: https://syzkaller.appspot.com/bug?extid=fa2f5b1fb06147be5e16 >>>> I found some not relevant syzbot report : >>>> >>>> https://lore.kernel.org/netdev/6a196faf.c16d89a8.217f2c.0002.GAE@google.com/ >>>> >>> This should be the same issue. And it can be reproduced by >>> https://syzkaller.appspot.com/text?tag=ReproC&x=12924152580000 >> Please investigate which device allowed to send an Ethernet packet >> smaller than the ethernet header. >> >> We do not want to add tests all over the places, we should fix the >> origin. >> >> Look for dev->min_header_len >> >> Thanks. > > > It's TUN. > > I think we should reject loading "tc filter ... flower eth_dst > aa:bb:cc:dd:ee:ff ... " if dev->hard_header_len < > sizeof(flow_dissector_key_eth_addrs) > I will add checks in fl_change() Thanks very much for your suggestion.
© 2016 - 2026 Red Hat, Inc.