In the Linux kernel, the following vulnerability has been resolved:
net: hsr: must allocate more bytes for RedBox support
Blamed commit forgot to change hsrinitskb() to allocate larger skb for RedBox case.
Indeed, sendhsrsupervisionframe() will add two additional components (struct hsrsuptlv and struct hsrsup_payload)
syzbot reported the following crash: skbuff: skboverpanic: text:ffffffff8afd4b0a len:34 put:6 head:ffff88802ad29e00 data:ffff88802ad29f22 tail:0x144 end:0x140 dev:gretap0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 2 UID: 0 PID: 7611 Comm: syz-executor Not tainted 6.12.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skbpanic+0x157/0x1d0 net/core/skbuff.c:206 Code: b6 04 01 84 c0 74 04 3c 03 7e 21 8b 4b 70 41 56 45 89 e8 48 c7 c7 a0 7d 9b 8c 41 57 56 48 89 ee 52 4c 89 e2 e8 9a 76 79 f8 90 <0f> 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 94 76 fb f8 4c RSP: 0018:ffffc90000858ab8 EFLAGS: 00010282 RAX: 0000000000000087 RBX: ffff8880598c08c0 RCX: ffffffff816d3e69 RDX: 0000000000000000 RSI: ffffffff816de786 RDI: 0000000000000005 RBP: ffffffff8c9b91c0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000302 R11: ffffffff961cc1d0 R12: ffffffff8afd4b0a R13: 0000000000000006 R14: ffff88804b938130 R15: 0000000000000140 FS: 000055558a3d6500(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1295974ff8 CR3: 000000002ab6e000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> skboverpanic net/core/skbuff.c:211 [inline] skbput+0x174/0x1b0 net/core/skbuff.c:2617 sendhsrsupervisionframe+0x6fa/0x9e0 net/hsr/hsrdevice.c:342 hsrproxyannounce+0x1a3/0x4a0 net/hsr/hsrdevice.c:436 calltimerfn+0x1a0/0x610 kernel/time/timer.c:1794 expiretimers kernel/time/timer.c:1845 [inline] _runtimers+0x6e8/0x930 kernel/time/timer.c:2419 _runtimerbase kernel/time/timer.c:2430 [inline] _runtimerbase kernel/time/timer.c:2423 [inline] runtimerbase+0x111/0x190 kernel/time/timer.c:2439 runtimersoftirq+0x1a/0x40 kernel/time/timer.c:2449 handlesoftirqs+0x213/0x8f0 kernel/softirq.c:554 _dosoftirq kernel/softirq.c:588 [inline] invokesoftirq kernel/softirq.c:428 [inline] _irqexitrcu kernel/softirq.c:637 [inline] irqexitrcu+0xbb/0x120 kernel/softirq.c:649 instrsysvecapictimerinterrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvecapictimerinterrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ>