git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Ranganath V N <vnranganath.20@gmail.com>
	Sun, 26 Oct 2025 16:33:12 +0000 (22:03 +0530)
committer	Paolo Abeni <pabeni@redhat.com>
	Thu, 30 Oct 2025 10:21:05 +0000 (11:21 +0100)
commit	51e5ad549c43b557c7da1e4d1a1dcf061b4a5f6c
tree	e62cff853ad04428f9f97a771096038d8eca1c3a	tree \| snapshot
parent	6a2108c78069fda000729b88c97b1eba0405e6d7	commit \| diff

net: sctp: fix KMSAN uninit-value in sctp_inq_pop

Fix an issue detected by syzbot:

KMSAN reported an uninitialized-value access in sctp_inq_pop
BUG: KMSAN: uninit-value in sctp_inq_pop

The issue is actually caused by skb trimming via sk_filter() in sctp_rcv().
In the reproducer, skb->len becomes 1 after sk_filter(), which bypassed the
original check:

if (skb->len < sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr) +
skb_transport_offset(skb))
To handle this safely, a new check should be performed after sk_filter().

Reported-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Tested-by: syzbot+d101e12bccd4095460e7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d101e12bccd4095460e7
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251026-kmsan_fix-v3-1-2634a409fa5f@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>