CVE-2026-43244
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
kcm: fix zero-frag skb in frag_list on partial sendmsg error
Syzkaller reported a warning in kcm_write_msgs() when processing a message with a zero-fragment skb in the frag_list.
When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb, it allocates a new skb (tskb) and links it into the frag_list before copying data. If the copy subsequently fails (e.g. -EFAULT from user memory), tskb remains in the frag_list with zero fragments:
head skb (msg being assembled, NOT yet in sk_write_queue) +———–+ | frags[17] | (MAX_SKB_FRAGS, all filled with data) | frag_list-+–> tskb +———–+ +———-+ | frags[0] | (empty! copy failed before filling) +———-+
For SOCK_SEQPACKET with partial data already copied, the error path saves this message via partial_message for later completion. For SOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so a subsequent zero-length write(fd, NULL, 0) completes the message and queues it to sk_write_queue. kcm_write_msgs() then walks the frag_list and hits:
WARN_ON(!skb_shinfo(skb)->nr_frags)
TCP has a similar pattern where skbs are enqueued before data copy and cleaned up on failure via tcp_remove_empty_skb(). KCM was missing the equivalent cleanup.
Fix this by tracking the predecessor skb (frag_prev) when allocating a new frag_list entry. On error, if the tail skb has zero frags, use frag_prev to unlink and free it in O(1) without walking the singly-linked frag_list. frag_prev is safe to dereference because the entire message chain is only held locally (or in kcm->seq_skb) and is not added to sk_write_queue until MSG_EOR, so the send path cannot free it underneath us.
Also change the WARN_ON to WARN_ON_ONCE to avoid flooding the log if the condition is somehow hit repeatedly.
There are currently no KCM selftests in the kernel tree; a simple reproducer is available at [1].
[1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 < 9ea3671d70ee07480d80bebe86696397c4e99fb7 | affected |
| Linux | Linux | ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 < b1e3edf688a88c1a3ac41657055d9c136a08cd25 | affected |
| Linux | Linux | ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 < 7af58f76e4b404a74c836881a845e6652db8a09f | affected |
| Linux | Linux | ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 < ca220141fa8ebae09765a242076b2b77338106b0 | affected |
| Linux | Linux | 4.6 | affected |
| Linux | Linux | 0 < 4.6 | unaffected |
| Linux | Linux | 6.12.75 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.16 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.6 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/9ea3671d70ee07480d80bebe86696397c4e99fb7
- https://git.kernel.org/stable/c/b1e3edf688a88c1a3ac41657055d9c136a08cd25
- https://git.kernel.org/stable/c/7af58f76e4b404a74c836881a845e6652db8a09f
- https://git.kernel.org/stable/c/ca220141fa8ebae09765a242076b2b77338106b0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.