[PATCH 4.4 70/79] xfrm_user: prevent leaking 2 bytes of kernel memory

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	syzbot <syzkaller@googlegroups.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.4 70/79] xfrm_user: prevent leaking 2 bytes of kernel memory
Date: Thu, 23 Aug 2018 09:53:46 +0200	[thread overview]
Message-ID: <20180823074923.747986589@linuxfoundation.org> (raw)
In-Reply-To: <20180823074918.641878835@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.

struct xfrm_userpolicy_type has two holes, so we should not
use C99 style initializer.

KMSAN report:

BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
 kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
 kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
 copyout lib/iov_iter.c:140 [inline]
 _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
 copy_to_iter include/linux/uio.h:106 [inline]
 skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
 skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
 netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
 sock_recvmsg_nosec net/socket.c:802 [inline]
 sock_recvmsg+0x1d6/0x230 net/socket.c:809
 ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
 __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
 do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
 __do_sys_recvmmsg net/socket.c:2485 [inline]
 __se_sys_recvmmsg net/socket.c:2481 [inline]
 __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x446ce9
RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
 __nla_put lib/nlattr.c:569 [inline]
 nla_put+0x276/0x340 lib/nlattr.c:627
 copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
 dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
 xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
 xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
 netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
 __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
 netlink_dump_start include/linux/netlink.h:214 [inline]
 xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
 netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
 xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Local variable description: ----upt.i@dump_one_policy
Variable was created at:
 dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
 xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013

Byte 130 of 137 is uninitialized
Memory access starts at ffff88019550407f

Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_user.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1624,9 +1624,11 @@ static inline size_t userpolicy_type_att
 #ifdef CONFIG_XFRM_SUB_POLICY
 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
 {
-	struct xfrm_userpolicy_type upt = {
-		.type = type,
-	};
+	struct xfrm_userpolicy_type upt;
+
+	/* Sadly there are two holes in struct xfrm_userpolicy_type */
+	memset(&upt, 0, sizeof(upt));
+	upt.type = type;
 
 	return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
 }

next prev parent reply	other threads:[~2018-08-23  8:00 UTC|newest]

Thread overview: 91+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-23  7:52 [PATCH 4.4 00/79] 4.4.152-stable review Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 01/79] ARC: Explicitly add -mmedium-calls to CFLAGS Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 02/79] netfilter: ipv6: nf_defrag: reduce struct net memory waste Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 03/79] selftests: pstore: return Kselftest Skip code for skipped tests Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 04/79] selftests: static_keys: " Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 05/79] selftests: user: " Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 06/79] selftests: zram: " Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 07/79] selftests: sync: add config fragment for testing sync framework Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 08/79] ARM: dts: Cygnus: Fix I2C controller interrupt type Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 09/79] usb: dwc2: fix isoc split in transfer with no data Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 10/79] usb: gadget: composite: fix delayed_status race condition when set_interface Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 11/79] usb: gadget: dwc2: fix memory leak in gadget_init() Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 12/79] scsi: xen-scsifront: add error handling for xenbus_printf Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 13/79] arm64: make secondary_start_kernel() notrace Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 14/79] qed: Add sanity check for SIMD fastpath handler Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 15/79] enic: initialize enic->rfs_h.lock in enic_probe Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 16/79] net: hamradio: use eth_broadcast_addr Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 17/79] net: propagate dev_get_valid_name return code Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 18/79] ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 19/79] net: davinci_emac: match the mdio device against its compatible if possible Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 20/79] locking/lockdep: Do not record IRQ state within lockdep code Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 21/79] ipv6: mcast: fix unsolicited report interval after receiving querys Greg Kroah-Hartman
2018-08-23  7:52 ` [PATCH 4.4 22/79] Smack: Mark inode instant in smack_task_to_inode Greg Kroah-Hartman
2018-09-11 18:14   ` Ben Hutchings
2018-09-11 18:53     ` Casey Schaufler
2018-08-23  7:52 ` [PATCH 4.4 23/79] cxgb4: when disabling dcb set txq dcb priority to 0 Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 24/79] brcmfmac: stop watchdog before detach and free everything Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 25/79] ARM: dts: am437x: make edt-ft5x06 a wakeup source Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 26/79] usb: xhci: increase CRS timeout value Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 27/79] perf test session topology: Fix test on s390 Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 28/79] perf report powerpc: Fix crash if callchain is empty Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 29/79] perf tests: Add event parsing error handling to parse events test Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 30/79] selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 31/79] ARM: dts: da850: Fix interrups property for gpio Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 32/79] dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 33/79] md/raid10: fix that replacement cannot complete recovery after reassemble Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 34/79] drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 35/79] drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 36/79] drm/exynos: decon5433: Fix WINCONx reset value Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 37/79] bnx2x: Fix receiving tx-timeout in error or recovery state Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 39/79] HID: wacom: Correct touch maximum XY of 2nd-gen Intuos Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 40/79] ARM: imx_v6_v7_defconfig: Select ULPI support Greg Kroah-Hartman
2018-09-11 19:26   ` Ben Hutchings
     [not found]     ` <AM6PR04MB51581BE201C12160B7A7CC5AE31B0@AM6PR04MB5158.eurprd04.prod.outlook.com>
2018-09-12 13:51       ` Fw: " Fabio Estevam
2018-08-23  7:53 ` [PATCH 4.4 41/79] ARM: imx_v4_v5_defconfig: " Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 43/79] kasan: fix shadow_size calculation error in kasan_module_alloc Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 44/79] smsc75xx: Add workaround for gigabit link up hardware errata Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 45/79] netfilter: x_tables: set module owner for icmp(6) matches Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 46/79] ARM: pxa: irq: fix handling of ICMR registers in suspend/resume Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 47/79] ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem Greg Kroah-Hartman
2018-09-11 20:02   ` Ben Hutchings
2018-08-23  7:53 ` [PATCH 4.4 48/79] ieee802154: at86rf230: use __func__ macro for debug messages Greg Kroah-Hartman
2018-09-11 20:06   ` Ben Hutchings
2018-09-13  7:06     ` Greg Kroah-Hartman
2018-09-13  7:06       ` Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 49/79] ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 50/79] drm/armada: fix colorkey mode property Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 51/79] bnxt_en: Fix for system hang if request_irq fails Greg Kroah-Hartman
2018-09-11 20:14   ` Ben Hutchings
2018-09-11 20:58     ` Michael Chan
2018-09-11 21:05       ` Ben Hutchings
2018-08-23  7:53 ` [PATCH 4.4 52/79] perf llvm-utils: Remove bashism from kernel include fetch script Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 53/79] ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 54/79] ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 55/79] ixgbe: Be more careful when modifying MAC filters Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 56/79] packet: reset network header if packet shorter than ll reserved space Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 57/79] qlogic: check kstrtoul() for errors Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 58/79] tcp: remove DELAYED ACK events in DCTCP Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 59/79] drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 60/79] net/ethernet/freescale/fman: fix cross-build error Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 61/79] net: usb: rtl8150: demote allmulti message to dev_dbg() Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 62/79] net: qca_spi: Avoid packet drop during initial sync Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 63/79] net: qca_spi: Make sure the QCA7000 reset is triggered Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 64/79] net: qca_spi: Fix log level if probe fails Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 66/79] staging: android: ion: check for kref overflow Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 67/79] KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 68/79] ext4: fix spectre gadget in ext4_mb_regular_allocator() Greg Kroah-Hartman
2018-08-23  7:53 ` Greg Kroah-Hartman [this message]
2018-08-23  7:53 ` [PATCH 4.4 71/79] netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 72/79] packet: refine ring v3 block size test to hold one frame Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 75/79] PCI: hotplug: Dont leak pci_slot on registration failure Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 76/79] PCI: Skip MPS logic for Virtual Functions (VFs) Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 77/79] PCI: pciehp: Fix use-after-free on unplug Greg Kroah-Hartman
2018-08-23  7:53 ` [PATCH 4.4 79/79] reiserfs: fix broken xattr handling (heap corruption, bad retval) Greg Kroah-Hartman
2018-08-23 16:30 ` [PATCH 4.4 00/79] 4.4.152-stable review Guenter Roeck
2018-08-23 16:56   ` Greg Kroah-Hartman
2018-08-23 17:21     ` Guenter Roeck
2018-08-23 20:52       ` Greg Kroah-Hartman
2018-08-23 19:19 ` Shuah Khan
2018-08-23 20:10 ` Guenter Roeck
2018-08-24  5:58 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180823074923.747986589@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=edumazet@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    --cc=syzkaller@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.