From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 13/51] ipv6: fix kernel-infoleak in ipv6_local_error()
Date: Mon, 21 Jan 2019 14:44:09 +0100 [thread overview]
Message-ID: <20190121122454.706243702@linuxfoundation.org> (raw)
In-Reply-To: <20190121122453.700446926@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7d033c9f6a7fd3821af75620a0257db87c2b552a ]
This patch makes sure the flow label in the IPv6 header
forged in ipv6_local_error() is initialized.
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 24675 Comm: syz-executor1 Not tainted 4.20.0-rc7+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
kmsan_internal_check_memory+0x455/0xb00 mm/kmsan/kmsan.c:675
kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
_copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
copy_to_user include/linux/uaccess.h:177 [inline]
move_addr_to_user+0x2e9/0x4f0 net/socket.c:227
___sys_recvmsg+0x5d7/0x1140 net/socket.c:2284
__sys_recvmsg net/socket.c:2327 [inline]
__do_sys_recvmsg net/socket.c:2337 [inline]
__se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
__x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8750c06c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
RDX: 0000000000002000 RSI: 0000000020000400 RDI: 0000000000000005
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8750c076d4
R13: 00000000004c4a60 R14: 00000000004d8140 R15: 00000000ffffffff
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:219 [inline]
kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:439
__msan_chain_origin+0x70/0xe0 mm/kmsan/kmsan_instr.c:200
ipv6_recv_error+0x1e3f/0x1eb0 net/ipv6/datagram.c:475
udpv6_recvmsg+0x398/0x2ab0 net/ipv6/udp.c:335
inet_recvmsg+0x4fb/0x600 net/ipv4/af_inet.c:830
sock_recvmsg_nosec net/socket.c:794 [inline]
sock_recvmsg+0x1d1/0x230 net/socket.c:801
___sys_recvmsg+0x4d5/0x1140 net/socket.c:2278
__sys_recvmsg net/socket.c:2327 [inline]
__do_sys_recvmsg net/socket.c:2337 [inline]
__se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
__x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
slab_post_alloc_hook mm/slab.h:446 [inline]
slab_alloc_node mm/slub.c:2759 [inline]
__kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
__kmalloc_reserve net/core/skbuff.c:137 [inline]
__alloc_skb+0x309/0xa20 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:998 [inline]
ipv6_local_error+0x1a7/0x9e0 net/ipv6/datagram.c:334
__ip6_append_data+0x129f/0x4fd0 net/ipv6/ip6_output.c:1311
ip6_make_skb+0x6cc/0xcf0 net/ipv6/ip6_output.c:1775
udpv6_sendmsg+0x3f8e/0x45d0 net/ipv6/udp.c:1384
inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
__sys_sendto+0x8c4/0xac0 net/socket.c:1788
__do_sys_sendto net/socket.c:1800 [inline]
__se_sys_sendto+0x107/0x130 net/socket.c:1796
__x64_sys_sendto+0x6e/0x90 net/socket.c:1796
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Bytes 4-7 of 28 are uninitialized
Memory access of size 28 starts at ffff8881937bfce0
Data copied to user address 0000000020000000
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/datagram.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -335,6 +335,7 @@ void ipv6_local_error(struct sock *sk, i
skb_reset_network_header(skb);
iph = ipv6_hdr(skb);
iph->daddr = fl6->daddr;
+ ip6_flow_hdr(iph, 0, 0);
serr = SKB_EXT_ERR(skb);
serr->ee.ee_errno = err;
next prev parent reply other threads:[~2019-01-21 13:54 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-21 13:43 [PATCH 4.9 00/51] 4.9.152-stable review Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.9 01/51] tty/ldsem: Wake up readers after timed out down_write() Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.9 02/51] tty: Hold tty_ldisc_lock() during tty_reopen() Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.9 03/51] tty: Simplify tty->count math in tty_reopen() Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 04/51] tty: Dont hold ldisc lock in tty_reopen() if ldisc present Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 05/51] can: gw: ensure DLC boundaries after CAN frame modification Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 06/51] Revert "f2fs: do not recover from previous remained wrong dnodes" Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 07/51] media: em28xx: Fix misplaced reset of dev->v4l::field_count Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 08/51] proc: Remove empty line in /proc/self/status Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 09/51] Revert "scsi: target: iscsi: cxgbit: fix csk leak" Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 10/51] scsi: target: iscsi: cxgbit: fix csk leak Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 11/51] arm64/kvm: consistently handle host HCR_EL2 flags Greg Kroah-Hartman
2019-01-21 13:44 ` Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 12/51] arm64: Dont trap host pointer auth use to EL2 Greg Kroah-Hartman
2019-01-21 13:44 ` Greg Kroah-Hartman [this message]
2019-01-21 13:44 ` [PATCH 4.9 14/51] net: bridge: fix a bug on using a neighbour cache entry without checking its state Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 15/51] packet: Do not leak dev refcounts on error exit Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 16/51] bonding: update nest level on unlink Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 17/51] ip: on queued skb use skb_header_pointer instead of pskb_may_pull Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 18/51] crypto: caam - fix zero-length buffer DMA mapping Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 19/51] crypto: authencesn - Avoid twice completion call in decrypt path Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 20/51] crypto: authenc - fix parsing key with misaligned rta_len Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 21/51] btrfs: wait on ordered extents on abort cleanup Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 22/51] Yama: Check for pid death before checking ancestry Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 23/51] scsi: core: Synchronize request queue PM status only on successful resume Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 24/51] scsi: sd: Fix cache_type_store() Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 25/51] crypto: talitos - reorder code in talitos_edesc_alloc() Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 26/51] crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 27/51] mips: fix n32 compat_ipc_parse_version Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 28/51] mfd: tps6586x: Handle interrupts on suspend Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 29/51] arm64: kaslr: ensure randomized quantities are clean to the PoC Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 30/51] Disable MSI also when pcie-octeon.pcie_disable on Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 31/51] omap2fb: Fix stack memory disclosure Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 32/51] media: vivid: fix error handling of kthread_run Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 33/51] media: vivid: set min width/height to a value > 0 Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 34/51] LSM: Check for NULL cred-security on free Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 35/51] media: vb2: vb2_mmap: move lock up Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 36/51] sunrpc: handle ENOMEM in rpcb_getport_async Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 37/51] netfilter: ebtables: account ebt_table_info to kmemcg Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 38/51] selinux: fix GPF on invalid policy Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 39/51] blockdev: Fix livelocks on loop device Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 40/51] sctp: allocate sctp_sockaddr_entry with kzalloc Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 41/51] tipc: fix uninit-value in tipc_nl_compat_link_reset_stats Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 42/51] tipc: fix uninit-value in tipc_nl_compat_bearer_enable Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 43/51] tipc: fix uninit-value in tipc_nl_compat_link_set Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 44/51] tipc: fix uninit-value in tipc_nl_compat_name_table_dump Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 45/51] tipc: fix uninit-value in tipc_nl_compat_doit Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 46/51] block/loop: Use global lock for ioctl() operation Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 47/51] loop: Fold __loop_release into loop_release Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 48/51] loop: Get rid of loop_index_mutex Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 49/51] loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 50/51] drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.9 51/51] mm, memcg: fix reclaim deadlock with writeback Greg Kroah-Hartman
2019-01-22 13:40 ` [PATCH 4.9 00/51] 4.9.152-stable review Naresh Kamboju
2019-01-22 20:44 ` Guenter Roeck
2019-01-22 22:39 ` shuah
2019-01-23 9:06 ` Jon Hunter
2019-01-23 9:06 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190121122454.706243702@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.