* [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA
@ 2026-06-14 3:49 Xiang Mei
2026-06-15 13:09 ` Simon Horman
2026-06-15 21:08 ` Jakub Kicinski
0 siblings, 2 replies; 4+ messages in thread
From: Xiang Mei @ 2026-06-14 3:49 UTC (permalink / raw)
To: kuba, netdev
Cc: davem, yotam.gi, edumazet, pabeni, horms, bestswngs, Xiang Mei
psample_sample_packet() open-codes the PSAMPLE_ATTR_DATA attribute and
reserves nla_total_size(data_len) bytes but only writes NLA_HDRLEN +
data_len of them. When data_len is not a multiple of 4 the trailing
alignment padding is left uninitialised, leaking stale slab memory to
every listener on the PSAMPLE_NL_MCGRP_SAMPLE multicast group.
Use nla_reserve(), which lays out the header and zeroes the padding, and
copy the payload into the reserved area with skb_copy_bits().
Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
v2: use nla_reserve to ensure no info leak
net/psample/psample.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/net/psample/psample.c b/net/psample/psample.c
index 7763662036fb..6a714a4b4992 100644
--- a/net/psample/psample.c
+++ b/net/psample/psample.c
@@ -476,12 +476,11 @@ void psample_sample_packet(struct psample_group *group,
goto error;
if (data_len) {
- int nla_len = nla_total_size(data_len);
struct nlattr *nla;
- nla = skb_put(nl_skb, nla_len);
- nla->nla_type = PSAMPLE_ATTR_DATA;
- nla->nla_len = nla_attr_size(data_len);
+ nla = nla_reserve(nl_skb, PSAMPLE_ATTR_DATA, data_len);
+ if (!nla)
+ goto error;
if (skb_copy_bits(skb, 0, nla_data(nla), data_len))
goto error;
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA
2026-06-14 3:49 [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA Xiang Mei
@ 2026-06-15 13:09 ` Simon Horman
2026-06-15 21:08 ` Jakub Kicinski
1 sibling, 0 replies; 4+ messages in thread
From: Simon Horman @ 2026-06-15 13:09 UTC (permalink / raw)
To: Xiang Mei; +Cc: kuba, netdev, davem, yotam.gi, edumazet, pabeni, bestswngs
On Sat, Jun 13, 2026 at 08:49:19PM -0700, Xiang Mei wrote:
> psample_sample_packet() open-codes the PSAMPLE_ATTR_DATA attribute and
> reserves nla_total_size(data_len) bytes but only writes NLA_HDRLEN +
> data_len of them. When data_len is not a multiple of 4 the trailing
> alignment padding is left uninitialised, leaking stale slab memory to
> every listener on the PSAMPLE_NL_MCGRP_SAMPLE multicast group.
>
> Use nla_reserve(), which lays out the header and zeroes the padding, and
> copy the payload into the reserved area with skb_copy_bits().
>
> Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> ---
> v2: use nla_reserve to ensure no info leak
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA
2026-06-14 3:49 [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA Xiang Mei
2026-06-15 13:09 ` Simon Horman
@ 2026-06-15 21:08 ` Jakub Kicinski
2026-06-15 21:48 ` Xiang Mei
1 sibling, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2026-06-15 21:08 UTC (permalink / raw)
To: Xiang Mei; +Cc: netdev, davem, yotam.gi, edumazet, pabeni, horms, bestswngs
On Sat, 13 Jun 2026 20:49:19 -0700 Xiang Mei wrote:
> psample_sample_packet() open-codes the PSAMPLE_ATTR_DATA attribute and
> reserves nla_total_size(data_len) bytes but only writes NLA_HDRLEN +
> data_len of them. When data_len is not a multiple of 4 the trailing
> alignment padding is left uninitialised, leaking stale slab memory to
> every listener on the PSAMPLE_NL_MCGRP_SAMPLE multicast group.
>
> Use nla_reserve(), which lays out the header and zeroes the padding, and
> copy the payload into the reserved area with skb_copy_bits().
Use the diff I provided or I will post it myself.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA
2026-06-15 21:08 ` Jakub Kicinski
@ 2026-06-15 21:48 ` Xiang Mei
0 siblings, 0 replies; 4+ messages in thread
From: Xiang Mei @ 2026-06-15 21:48 UTC (permalink / raw)
To: Jakub Kicinski
Cc: netdev, davem, yotam.gi, edumazet, pabeni, horms, bestswngs
On Mon, Jun 15, 2026 at 2:08 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Sat, 13 Jun 2026 20:49:19 -0700 Xiang Mei wrote:
> > psample_sample_packet() open-codes the PSAMPLE_ATTR_DATA attribute and
> > reserves nla_total_size(data_len) bytes but only writes NLA_HDRLEN +
> > data_len of them. When data_len is not a multiple of 4 the trailing
> > alignment padding is left uninitialised, leaking stale slab memory to
> > every listener on the PSAMPLE_NL_MCGRP_SAMPLE multicast group.
> >
> > Use nla_reserve(), which lays out the header and zeroes the padding, and
> > copy the payload into the reserved area with skb_copy_bits().
>
> Use the diff I provided or I will post it myself.
You can post it yourself. Thank you for taking the time to deliver
that patch. I don't want to take credit for your work.
Xiang
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-15 21:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-14 3:49 [PATCH net v2] psample: use nla_reserve() for PSAMPLE_ATTR_DATA Xiang Mei
2026-06-15 13:09 ` Simon Horman
2026-06-15 21:08 ` Jakub Kicinski
2026-06-15 21:48 ` Xiang Mei
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.