From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36EAD3E2AD7 for ; Tue, 14 Jul 2026 06:29:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784010558; cv=none; b=b8wzrj+TjmCIDiYeItC+NHfZ8mA8vR1hFohsvqKhiKgsmlWxfvdNgk5JtuAdT0tWiKpb0QBK+lWS6o0P7bdVknUkeKGhGNuknXWI47iaW8sBGTpvbdhD4p3VMWKz8jdLS8Fpobe2G41HhXMhVH66Ej0/VDpoJjoyVeFltIt2g4M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784010558; c=relaxed/simple; bh=kmLU4rGPR67ilucNMrOPzthVZ5+TQTJoDMgB86gwQ3I=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=kzkyt+/FXLmSwHd3FNZnFM/DfKukPTQJ8iF2+0CeN9v0oJRF+GkEpHtbhlSeACHniqLBVv/dIJXQnJeT9YUDEKtM0zLYoDySEkE9pyALJDlSNo9jpXNCS6XLV3pqNBNWcBTR7v7qgGucJ+wFslAsCPNl0PQWyXSmhjp11OaDWao= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=pm6mbu65; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="pm6mbu65" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4369C1F00A3A; Tue, 14 Jul 2026 06:29:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1784010556; bh=09EO8r5LgFzD7KhN+xcQkRjxHZVY9HMB5UxLRzRJDVI=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=pm6mbu65d9hn/SJF0B3JE5ZRA5BzLba5Pq5LxZ9YM2aVApPSA6meNw2P9x026KFI/ kAcP0HIBohHxFA/VjwaNrzCtz0sFD2HqvAYY8eBq4t/JoHCd+b44MtAFQEZpc5RTIY 9RIJzXxAAGhtR5RehDucafG5hd5uOCi0NxVmm+7E= Date: Tue, 14 Jul 2026 08:29:10 +0200 From: Greg KH To: omeux Cc: Marcelo Ricardo Leitner , Xin Long , security@kernel.org, linux-sctp@vger.kernel.org Subject: Re: Subject: [SECURITY] sctp: diag: uninit kernel stack leak via INET_DIAG_LOCALS/PEERS Message-ID: <2026071410-concerned-tremble-4cc4@gregkh> References: Precedence: bulk X-Mailing-List: linux-sctp@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Tue, Jul 14, 2026 at 02:19:00PM +0800, omeux wrote: > 5. Suggested fix > --------------------------------------------------------------- > - Suspected location: net/sctp/diag.c inet_diag_msg_sctpladdrs_fill() > and inet_diag_msg_sctpaddrs_fill(); the uninit source is in > net/sctp/protocol.c sctp_v4_from_skb()/sctp_v4_from_addr_param(). > - Proposed and tested fix: zero the full sockaddr_storage slot first, > then copy only the actually-initialized length of the address > (sizeof(struct sockaddr_in) for AF_INET, sizeof(union sctp_addr) > otherwise) so the uninitialized tail never reaches userspace. > > Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") > Cc: stable@vger.kernel.org > Signed-off-by: Your Name Please turn this into a patch that can be applied, and properly use your name and the Assisted-by: tag showing that you used an LLM for this thing, so that it can be considered as a real patch. Also, when cc:ing a public mailing list, no need to get security@kernel.org involved. thanks, greg k-h