On Tue, Aug 05, 2025 at 02:20:41PM +0800, bsdhenrymartin@xxxxxxxxx wrote:
From: Henry Martin <bsdhenryma@xxxxxxxxxxx>
vmci_transport_dgram_dequeue lack of buffer length validation before
accessing `vmci_datagram` header.
Trigger Path:
1. Attacker sends a datagram with length < sizeof(struct
vmci_datagram).
How?
2. `skb_recv_datagram()` returns the malformed sk_buff (skb->len <
sizeof(struct vmci_datagram)).
The sk_buff is queued by vmci_transport_recv_dgram_cb() calling
sk_receive_skb(). And It is allocated with this code:
#define VMCI_DG_HEADERSIZE sizeof(struct vmci_datagram)
#define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
static int vmci_transport_recv_dgram_cb(void *data, struct vmci_datagram *dg)
{
...
size = VMCI_DG_SIZE(dg);
/* Attach the packet to the socket's receive queue as an sk_buff. */
skb = alloc_skb(size, GFP_ATOMIC);
...
skb_put(skb, size);
...
}
So I don't understand what this patch is fixing...
3. Code casts skb->data to struct vmci_datagram *dg without verifying
skb->len.
4. Accessing `dg->payload_size` (Line: `payload_len =
dg->payload_size;`) reads out-of-bounds memory.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Reported-by: TCS Robot <tcs_robot@xxxxxxxxxxx>
Please fix your robot and also check your patches.
This is the second no-sense patch from you I reviewed today, I'll start
to ignore if you continue.
Stefano
Signed-off-by: Henry Martin <bsdhenryma@xxxxxxxxxxx>
---
net/vmw_vsock/vmci_transport.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 7eccd6708d66..0be605e19b2e 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1749,6 +1749,11 @@ static int vmci_transport_dgram_dequeue(struct vsock_sock *vsk,
if (!skb)
return err;
+ if (skb->len < sizeof(struct vmci_datagram)) {
+ err = -EINVAL;
+ goto out;
+ }
+
dg = (struct vmci_datagram *)skb->data;
if (!dg)
/* err is 0, meaning we read zero bytes. */
--
2.41.3
