From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, syzkaller <syzkaller@googlegroups.com>,
Shigeru Yoshida <syoshida@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 31/78] inet_diag: Initialize pad field in struct inet_diag_req_v2
Date: Tue, 16 Jul 2024 17:31:03 +0200 [thread overview]
Message-ID: <20240716152741.842301812@linuxfoundation.org> (raw)
In-Reply-To: <20240716152740.626160410@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit 61cf1c739f08190a4cbf047b9fbb192a94d87e3f ]
KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw
sockets uses the pad field in struct inet_diag_req_v2 for the
underlying protocol. This field corresponds to the sdiag_raw_protocol
field in struct inet_diag_req_raw.
inet_diag_get_exact_compat() converts inet_diag_req to
inet_diag_req_v2, but leaves the pad field uninitialized. So the issue
occurs when raw_lookup() accesses the sdiag_raw_protocol field.
Fix this by initializing the pad field in
inet_diag_get_exact_compat(). Also, do the same fix in
inet_diag_dump_compat() to avoid the similar issue in the future.
[1]
BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]
BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
raw_lookup net/ipv4/raw_diag.c:49 [inline]
raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
inet_diag_cmd_exact+0x7d9/0x980
inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x332/0x3d0 net/socket.c:745
____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
__sys_sendmsg net/socket.c:2668 [inline]
__do_sys_sendmsg net/socket.c:2677 [inline]
__se_sys_sendmsg net/socket.c:2675 [inline]
__x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71
raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
inet_diag_cmd_exact+0x7d9/0x980
inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x332/0x3d0 net/socket.c:745
____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
__sys_sendmsg net/socket.c:2668 [inline]
__do_sys_sendmsg net/socket.c:2677 [inline]
__se_sys_sendmsg net/socket.c:2675 [inline]
__x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable req.i created at:
inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]
inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426
sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
Fixes: 432490f9d455 ("net: ip, diag -- Add diag interface for raw sockets")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240703091649.111773-1-syoshida@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/inet_diag.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index f8f79672cc5f3..1de42888e14a2 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -1088,6 +1088,7 @@ static int inet_diag_dump_compat(struct sk_buff *skb,
req.sdiag_family = AF_UNSPEC; /* compatibility */
req.sdiag_protocol = inet_diag_type2proto(cb->nlh->nlmsg_type);
req.idiag_ext = rc->idiag_ext;
+ req.pad = 0;
req.idiag_states = rc->idiag_states;
req.id = rc->id;
@@ -1106,6 +1107,7 @@ static int inet_diag_get_exact_compat(struct sk_buff *in_skb,
req.sdiag_family = rc->idiag_family;
req.sdiag_protocol = inet_diag_type2proto(nlh->nlmsg_type);
req.idiag_ext = rc->idiag_ext;
+ req.pad = 0;
req.idiag_states = rc->idiag_states;
req.id = rc->id;
--
2.43.0
next prev parent reply other threads:[~2024-07-16 15:38 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-16 15:30 [PATCH 5.4 00/78] 5.4.280-rc1 review Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 01/78] drm/lima: fix shared irq handling on driver remove Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 02/78] media: dvb: as102-fe: Fix as10x_register_addr packing Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 03/78] media: dvb-usb: dib0700_devices: Add missing release_firmware() Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 04/78] IB/core: Implement a limit on UMAD receive List Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 05/78] scsi: qedf: Make qedf_execute_tmf() non-preemptible Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 06/78] drm/amdgpu: Initialize timestamp for some legacy SOCs Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 07/78] drm/amd/display: Skip finding free audio for unknown engine_id Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 08/78] media: dw2102: Dont translate i2c read into write Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 09/78] sctp: prefer struct_size over open coded arithmetic Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 10/78] firmware: dmi: Stop decoding on broken entry Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 11/78] Input: ff-core - prefer struct_size over open coded arithmetic Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 12/78] net: dsa: mv88e6xxx: Correct check for empty list Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 13/78] media: dvb-frontends: tda18271c2dd: Remove casting during div Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 14/78] media: s2255: Use refcount_t instead of atomic_t for num_channels Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 15/78] media: dvb-frontends: tda10048: Fix integer overflow Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 16/78] i2c: i801: Annotate apanel_addr as __ro_after_init Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 17/78] powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 18/78] orangefs: fix out-of-bounds fsid access Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 19/78] powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 20/78] jffs2: Fix potential illegal address access in jffs2_free_inode Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 21/78] s390/pkey: Wipe sensitive data on failure Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 22/78] tcp: tcp_mark_head_lost is only valid for sack-tcp Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 23/78] tcp: add ece_ack flag to reno sack functions Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 24/78] net: tcp better handling of reordering then loss cases Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 25/78] UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 26/78] tcp_metrics: validate source addr length Greg Kroah-Hartman
2024-07-16 15:30 ` [PATCH 5.4 27/78] wifi: wilc1000: fix ies_len type in connect path Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 28/78] bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 29/78] selftests: fix OOM in msg_zerocopy selftest Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 30/78] selftests: make order checking verbose " Greg Kroah-Hartman
2024-07-16 15:31 ` Greg Kroah-Hartman [this message]
2024-07-16 15:31 ` [PATCH 5.4 32/78] nilfs2: fix inode number range checks Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 33/78] nilfs2: add missing check for inode numbers on directory entries Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 34/78] mm: optimize the redundant loop of mm_update_owner_next() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 35/78] can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 36/78] fsnotify: Do not generate events for O_PATH file descriptors Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 37/78] Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 38/78] drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 39/78] drm/amdgpu/atomfirmware: silence UBSAN warning Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 40/78] bnx2x: Fix multiple UBSAN array-index-out-of-bounds Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 41/78] media: dw2102: fix a potential buffer overflow Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 42/78] i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 43/78] ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 44/78] nvme-multipath: find NUMA path only for online numa-node Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 45/78] nilfs2: fix incorrect inode allocation from reserved inodes Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 46/78] filelock: fix potential use-after-free in posix_lock_inode Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 47/78] fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 48/78] vfs: dont mod negative dentry count when on shrinker list Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 49/78] tcp: add TCP_INFO status for failed client TFO Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 50/78] tcp: fix incorrect undo caused by DSACK of TLP retransmit Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 51/78] octeontx2-af: Fix incorrect value output on error path in rvu_check_rsrc_availability() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 52/78] net: lantiq_etop: add blank line after declaration Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 53/78] net: ethernet: lantiq_etop: fix double free in detach Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 54/78] ppp: reject claimed-as-LCP but actually malformed packets Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 55/78] udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 56/78] s390: Mark psw in __load_psw_mask() as __unitialized Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 57/78] ARM: davinci: Convert comma to semicolon Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 58/78] octeontx2-af: fix detection of IP layer Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 59/78] USB: serial: option: add Telit generic core-dump composition Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 60/78] USB: serial: option: add Telit FN912 rmnet compositions Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 61/78] USB: serial: option: add Fibocom FM350-GL Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 62/78] USB: serial: option: add support for Foxconn T99W651 Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 63/78] USB: serial: option: add Netprisma LCUK54 series modules Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 64/78] USB: serial: option: add Rolling RW350-GL variants Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 65/78] USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 66/78] usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 67/78] USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 68/78] hpet: Support 32-bit userspace Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 69/78] nvmem: meson-efuse: Fix return value of nvmem callbacks Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 70/78] ALSA: hda/realtek: Limit mic boost on VAIO PRO PX Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 71/78] libceph: fix race between delayed_work() and ceph_monc_stop() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 72/78] SUNRPC: Fix RPC client cleaned up the freed pipefs dentries Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 73/78] tcp: refactor tcp_retransmit_timer() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 74/78] net: tcp: fix unexcepted socket die when snd_wnd is 0 Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 75/78] tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 76/78] tcp: avoid too many retransmit packets Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 77/78] nilfs2: fix kernel bug on rename operation of broken directory Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 5.4 78/78] i2c: rcar: bring hardware to known state when probing Greg Kroah-Hartman
2024-07-16 17:49 ` [PATCH 5.4 00/78] 5.4.280-rc1 review Florian Fainelli
2024-07-16 20:57 ` Naresh Kamboju
2024-07-17 6:22 ` Greg Kroah-Hartman
2024-07-17 15:56 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240716152741.842301812@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syoshida@redhat.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.