CVE-2025-38718: sctp: linearize cloned gso packets in sctp_rcv

CKI Backport Botrequested to merge
redhat/red-hat-ci-tools/kernel/bot-branches/centos-stream/src/kernel/centos-stream-10:backport-RHEL-113341-centos-stream-10-main into main

JIRA: https://issues.redhat.com/browse/RHEL-113341
CVE: CVE-2025-38718

commit fd60d8a086191fe33c2d719732d2482052fa6805
Author: Xin Long <lucien.xin@gmail.com>
Date:   Thu Aug 7 15:40:11 2025 -0400

    sctp: linearize cloned gso packets in sctp_rcv
    
    A cloned head skb still shares these frag skbs in fraglist with the
    original head skb. It's not safe to access these frag skbs.
    
    syzbot reported two use-of-uninitialized-memory bugs caused by this:
    
      BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
       sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
       sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998
       sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
       sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331
       sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122
       __release_sock+0x1da/0x330 net/core/sock.c:3106
       release_sock+0x6b/0x250 net/core/sock.c:3660
       sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360
       sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885
       sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031
       inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851
       sock_sendmsg_nosec net/socket.c:718 [inline]
    
    and
    
      BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
       sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
       sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88
       sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
       sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148
       __release_sock+0x1d3/0x330 net/core/sock.c:3213
       release_sock+0x6b/0x270 net/core/sock.c:3767
       sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367
       sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886
       sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032
       inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851
       sock_sendmsg_nosec net/socket.c:712 [inline]
    
    This patch fixes it by linearizing cloned gso packets in sctp_rcv().
    
    Fixes: 90017accff61 ("sctp: Add GSO support")
    Reported-by: syzbot+773e51afe420baaf0e2b@syzkaller.appspotmail.com
    Reported-by: syzbot+70a42f45e76bede082be@syzkaller.appspotmail.com
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Link: https://patch.msgid.link/dd7dc337b99876d4132d0961f776913719f7d225.1754595611.git.lucien.xin@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: CKI Backport Bot cki-ci-bot+cki-gitlab-backport-bot@redhat.com

Created 2025-09-05 19:17 UTC by backporter - KWF FAQ - Slack #team-kernel-workflow - Source - Documentation - Report an issue

Merge request reports