From: Simon Horman <horms@kernel.org>
To: Shigeru Yoshida <syoshida@redhat.com>
Cc: jmaloy@redhat.com, ying.xue@windriver.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net] tipc: Fix kernel-infoleak due to uninitialized TLV value
Date: Sun, 12 Nov 2023 10:25:13 +0000 [thread overview]
Message-ID: <20231112102513.GJ705326@kernel.org> (raw)
In-Reply-To: <20231110163947.1605168-1-syoshida@redhat.com>
On Sat, Nov 11, 2023 at 01:39:47AM +0900, Shigeru Yoshida wrote:
> KMSAN reported the following kernel-infoleak issue:
>
> =====================================================
> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
> BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
> BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
> BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
> BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
> instrument_copy_to_user include/linux/instrumented.h:114 [inline]
> copy_to_user_iter lib/iov_iter.c:24 [inline]
> iterate_ubuf include/linux/iov_iter.h:29 [inline]
> iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
> iterate_and_advance include/linux/iov_iter.h:271 [inline]
> _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
> copy_to_iter include/linux/uio.h:197 [inline]
> simple_copy_to_iter net/core/datagram.c:532 [inline]
> __skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
> skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
> skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
> netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
> sock_recvmsg_nosec net/socket.c:1044 [inline]
> sock_recvmsg net/socket.c:1066 [inline]
> __sys_recvfrom+0x476/0x860 net/socket.c:2246
> __do_sys_recvfrom net/socket.c:2264 [inline]
> __se_sys_recvfrom net/socket.c:2260 [inline]
> __x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> Uninit was created at:
> slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
> slab_alloc_node mm/slub.c:3478 [inline]
> kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
> kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
> __alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
> alloc_skb include/linux/skbuff.h:1286 [inline]
> tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline]
> tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170
> tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324
> genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline]
> genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
> genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067
> netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545
> genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076
> netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
> netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368
> netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910
> sock_sendmsg_nosec net/socket.c:730 [inline]
> __sock_sendmsg net/socket.c:745 [inline]
> ____sys_sendmsg+0x997/0xd60 net/socket.c:2588
> ___sys_sendmsg+0x271/0x3b0 net/socket.c:2642
> __sys_sendmsg net/socket.c:2671 [inline]
> __do_sys_sendmsg net/socket.c:2680 [inline]
> __se_sys_sendmsg net/socket.c:2678 [inline]
> __x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> Bytes 34-35 of 36 are uninitialized
> Memory access of size 36 starts at ffff88802d464a00
> Data copied to user address 00007ff55033c0a0
>
> CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
> =====================================================
>
> tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is
> calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and
> the length of TLV value passed as an argument, and aligns the result to a
> multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes.
>
> If the size of struct tlv_desc plus the length of TLV value is not aligned,
> the current implementation leaves the remaining bytes uninitialized. This
> is the cause of the above kernel-infoleak issue.
>
> This patch resolves this issue by clearing data up to an aligned size.
>
> Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Thanks Yoshida-san,
I agree with both your analysis and that the fix is correct.
I also agree that the problem was introduced by the cited commit.
I did wonder if there would be an advantage to only zeroing the
otherwise uninitialised portion of tlv, but I guess that the complexity
isn't worth any gain: all of TLV likely fits into a single cacheline
anyway.
Reviewed-by: Simon Horman <horms@kernel.org>
> ---
> net/tipc/netlink_compat.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
> index 5bc076f2fa74..c763008a8adb 100644
> --- a/net/tipc/netlink_compat.c
> +++ b/net/tipc/netlink_compat.c
> @@ -102,6 +102,7 @@ static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
> return -EMSGSIZE;
>
> skb_put(skb, TLV_SPACE(len));
> + memset(tlv, 0, TLV_SPACE(len));
> tlv->tlv_type = htons(type);
> tlv->tlv_len = htons(TLV_LENGTH(len));
> if (len && data)
> --
> 2.41.0
>
>
next prev parent reply other threads:[~2023-11-12 10:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-10 16:39 [PATCH net] tipc: Fix kernel-infoleak due to uninitialized TLV value Shigeru Yoshida
2023-11-12 10:25 ` Simon Horman [this message]
2023-11-13 5:17 ` Shigeru Yoshida
2023-11-13 11:10 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231112102513.GJ705326@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jmaloy@redhat.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syoshida@redhat.com \
--cc=tipc-discussion@lists.sourceforge.net \
--cc=ying.xue@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.