From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Alper Ak <alperyasinak1@gmail.com>,
davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
kuba@kernel.org
Cc: Alper Ak <alperyasinak1@gmail.com>,
Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Kuniyuki Iwashima <kuniyu@google.com>,
Breno Leitao <leitao@debian.org>,
Willem de Bruijn <willemb@google.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: ipv4: ipmr: Prevent information leak in ipmr_sk_ioctl()
Date: Tue, 30 Dec 2025 14:35:45 -0500 [thread overview]
Message-ID: <willemdebruijn.kernel.332a5aa0f6f9f@gmail.com> (raw)
In-Reply-To: <20251227073743.17272-1-alperyasinak1@gmail.com>
Alper Ak wrote:
> struct sioc_vif_req has a padding hole after the vifi field due to
> alignment requirements. These padding bytes were uninitialized,
> potentially leaking kernel stack memory to userspace when the
> struct is copied via sock_ioctl_inout().
>
> Reported by Smatch:
> net/ipv4/ipmr.c:1575 ipmr_sk_ioctl() warn: check that 'buffer'
> doesn't leak information (struct has a hole after 'vifi')
>
> Fixes: e1d001fa5b47 ("net: ioctl: Use kernel memory on protocol ioctl callbacks")
The commit mentions other similar cases. If this is a concern for
sioc_vif_req, then it likely would alos be for sioc_mif_req6, which
similarly has a hole.
> Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
> ---
> net/ipv4/ipmr.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
> index ca9eaee4c2ef..18441fbe7ed7 100644
> --- a/net/ipv4/ipmr.c
> +++ b/net/ipv4/ipmr.c
> @@ -1571,6 +1571,7 @@ int ipmr_sk_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
> /* These userspace buffers will be consumed by ipmr_ioctl() */
> case SIOCGETVIFCNT: {
> struct sioc_vif_req buffer;
> + memset(&buffer, 0, sizeof(buffer));
>
> return sock_ioctl_inout(sk, cmd, arg, &buffer,
> sizeof(buffer));
sock_ioctl_inout copies the whole struct from userspace, calls a
domain specific callback and then copies the whole struct back:
if (copy_from_user(karg, arg, size))
return -EFAULT;
ret = READ_ONCE(sk->sk_prot)->ioctl(sk, cmd, karg);
if (ret)
return ret;
if (copy_to_user(arg, karg, size))
return -EFAULT;
As a result every byte of the memset will be overwritten with the
copy_from_user.
> --
> 2.43.0
>
prev parent reply other threads:[~2025-12-30 19:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-27 7:37 [PATCH] net: ipv4: ipmr: Prevent information leak in ipmr_sk_ioctl() Alper Ak
2025-12-30 19:35 ` Willem de Bruijn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.332a5aa0f6f9f@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=alperyasinak1@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=leitao@debian.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.