In the Linux kernel, the following vulnerability has been resolved:
dccp: fix dccpv4err()/dccpv6err() again
dh->dccphx is the 9th byte (offset 8) in "struct dccphdr", not in the "byte 7" as Jann claimed.
We need to make sure the ICMP messages are big enough, using more standard ways (no more assumptions).
syzbot reported: BUG: KMSAN: uninit-value in pskbmaypullreason include/linux/skbuff.h:2667 [inline] BUG: KMSAN: uninit-value in pskbmaypull include/linux/skbuff.h:2681 [inline] BUG: KMSAN: uninit-value in dccpv6err+0x426/0x1aa0 net/dccp/ipv6.c:94 pskbmaypullreason include/linux/skbuff.h:2667 [inline] pskbmaypull include/linux/skbuff.h:2681 [inline] dccpv6err+0x426/0x1aa0 net/dccp/ipv6.c:94 icmpv6notify+0x4c7/0x880 net/ipv6/icmp.c:867 icmpv6rcv+0x19d5/0x30d0 ip6protocoldeliverrcu+0xda6/0x2a60 net/ipv6/ip6input.c:438 ip6inputfinish net/ipv6/ip6input.c:483 [inline] NFHOOK include/linux/netfilter.h:304 [inline] ip6input+0x15d/0x430 net/ipv6/ip6input.c:492 ip6mcinput+0xa7e/0xc80 net/ipv6/ip6input.c:586 dstinput include/net/dst.h:468 [inline] ip6rcvfinish+0x5db/0x870 net/ipv6/ip6input.c:79 NFHOOK include/linux/netfilter.h:304 [inline] ipv6rcv+0xda/0x390 net/ipv6/ip6input.c:310 _netifreceiveskbonecore net/core/dev.c:5523 [inline] _netifreceiveskb+0x1a6/0x5a0 net/core/dev.c:5637 netifreceiveskbinternal net/core/dev.c:5723 [inline] netifreceiveskb+0x58/0x660 net/core/dev.c:5782 tunrxbatched+0x83b/0x920 tungetuser+0x564c/0x6940 drivers/net/tun.c:2002 tunchrwriteiter+0x3af/0x5d0 drivers/net/tun.c:2048 callwriteiter include/linux/fs.h:1985 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x8ef/0x15c0 fs/readwrite.c:584 ksyswrite+0x20f/0x4c0 fs/readwrite.c:637 _dosyswrite fs/readwrite.c:649 [inline] _sesyswrite fs/readwrite.c:646 [inline] _x64syswrite+0x93/0xd0 fs/readwrite.c:646 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd
Uninit was created at: slabpostallochook+0x12f/0xb70 mm/slab.h:767 slaballocnode mm/slub.c:3478 [inline] kmemcacheallocnode+0x577/0xa80 mm/slub.c:3523 kmallocreserve+0x13d/0x4a0 net/core/skbuff.c:559 _allocskb+0x318/0x740 net/core/skbuff.c:650 allocskb include/linux/skbuff.h:1286 [inline] allocskbwithfrags+0xc8/0xbd0 net/core/skbuff.c:6313 sockallocsendpskb+0xa80/0xbf0 net/core/sock.c:2795 tunallocskb drivers/net/tun.c:1531 [inline] tungetuser+0x23cf/0x6940 drivers/net/tun.c:1846 tunchrwriteiter+0x3af/0x5d0 drivers/net/tun.c:2048 callwriteiter include/linux/fs.h:1985 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x8ef/0x15c0 fs/readwrite.c:584 ksyswrite+0x20f/0x4c0 fs/readwrite.c:637 _dosyswrite fs/readwrite.c:649 [inline] _sesyswrite fs/readwrite.c:646 [inline] _x64syswrite+0x93/0xd0 fs/readwrite.c:646 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd
CPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023