ipv4: cipso potential BUG()
Will Rosenberg
whrosenb at asu.edu
Mon Jan 19 20:46:40 UTC 2026
Previously, it was discussed that skb_cow() has a bug due to implicit
integer casting that can lead to a BUG when headroom < -NET_SKB_PAD. We
concluded that it was not worthwhile to fix the root cause and to
instead fix the symptom found in calipso. The thread for this issue can
be found here:
https://lore.kernel.org/netdev/CAHC9VhQmR8A2vz0W-VrrhYNQ2wgCYxHbAmdgmM2yTL-uh4qiOg@mail.gmail.com/
I recently reviewed the use cases of skb_cow() throughout the kernel and
found that cipso_v4_skbuff_setattr() comes very close to triggering the
same BUG. However, I concluded this was not triggerable. Even though
len_delta can become negative, leading to a negative headroom passed to
skb_cow(), we do not satisfy the condition headroom < -NET_SKB_PAD.
Nonetheless, I believe cipso is using skb_cow() dangerously, but since
the issue is not triggerable, would it still make sense to patch it?
I figured I would throw out a quick email. Please let me know and I can
make a similar patch for cipso if necessary.
--
Will Rosenberg
More information about the Linux-security-module-archive
mailing list