From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.16 07/18] sctp: do not leak kernel memory to user space
Date: Wed, 11 Apr 2018 00:23:42 +0200 [thread overview]
Message-ID: <20180410212758.961732699@linuxfoundation.org> (raw)
In-Reply-To: <20180410212758.564682823@linuxfoundation.org>
4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb ]
syzbot produced a nice report [1]
Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory
to user space, because sin_zero (padding field) was not properly cleared.
[1]
BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline]
BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227
CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
copy_to_user include/linux/uaccess.h:184 [inline]
move_addr_to_user+0x32e/0x530 net/socket.c:227
___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
__sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4401c9
RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9
RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0
R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
Local variable description: ----addr@___sys_recvmsg
Variable was created at:
___sys_recvmsg+0xd5/0x810 net/socket.c:2172
__sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
Bytes 8-15 of 16 are uninitialized
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G B 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
panic+0x39d/0x940 kernel/panic.c:183
kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
copy_to_user include/linux/uaccess.h:184 [inline]
move_addr_to_user+0x32e/0x530 net/socket.c:227
___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
__sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/ipv6.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -728,8 +728,10 @@ static int sctp_v6_addr_to_user(struct s
sctp_v6_map_v4(addr);
}
- if (addr->sa.sa_family == AF_INET)
+ if (addr->sa.sa_family == AF_INET) {
+ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
return sizeof(struct sockaddr_in);
+ }
return sizeof(struct sockaddr_in6);
}
next prev parent reply other threads:[~2018-04-10 22:24 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-10 22:23 [PATCH 4.16 00/18] 4.16.2-stable review Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 01/18] sparc64: Oracle DAX driver depends on SPARC64 Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 02/18] arp: fix arp_filter on l3slave devices Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 03/18] net: dsa: Discard frames from unused ports Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 04/18] net/ipv6: Increment OUTxxx counters after netfilter hook Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 05/18] net/sched: fix NULL dereference in the error path of tcf_bpf_init() Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 06/18] pptp: remove a buggy dst release in pptp_connect() Greg Kroah-Hartman
2018-04-10 22:23 ` Greg Kroah-Hartman [this message]
2018-04-10 22:23 ` [PATCH 4.16 08/18] sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 09/18] sky2: Increase D3 delay to sky2 stops working after suspend Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 10/18] vlan: also check phy_driver ts_info for vlans real device Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 11/18] net: fool proof dev_valid_name() Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 12/18] ip_tunnel: better validate user provided tunnel names Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 13/18] ipv6: sit: " Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 14/18] ip6_gre: " Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 15/18] ip6_tunnel: " Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 16/18] vti6: " Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 17/18] net_sched: fix a missing idr_remove() in u32_delete_key() Greg Kroah-Hartman
2018-04-10 22:23 ` [PATCH 4.16 18/18] nfp: use full 40 bits of the NSP buffer address Greg Kroah-Hartman
2018-04-11 6:02 ` [PATCH 4.16 00/18] 4.16.2-stable review kernelci.org bot
2018-04-11 17:15 ` Shuah Khan
2018-04-12 12:31 ` Greg Kroah-Hartman
2018-04-11 17:27 ` Guenter Roeck
2018-04-12 12:31 ` Greg Kroah-Hartman
2018-04-11 19:26 ` Dan Rue
2018-04-12 12:32 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180410212758.961732699@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.