From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 6/8] xfrm_user: fix info leak in build_mapping()
Date: Wed, 8 Apr 2026 11:59:02 +0200 [thread overview]
Message-ID: <20260408095925.253681-7-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20260408095925.253681-1-steffen.klassert@secunet.com>
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
struct xfrm_usersa_id has a one-byte padding hole after the proto
field, which ends up never getting set to zero before copying out to
userspace. Fix that up by zeroing out the whole structure before
setting individual variables.
Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a779590c985a..baa43c325da2 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -4172,6 +4172,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
um = nlmsg_data(nlh);
+ memset(&um->id, 0, sizeof(um->id));
memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr));
um->id.spi = x->id.spi;
um->id.family = x->props.family;
--
2.43.0
next prev parent reply other threads:[~2026-04-08 9:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 9:58 [PATCH 0/8] pull request (net): ipsec 2026-04-08 Steffen Klassert
2026-04-08 9:58 ` [PATCH 1/8] xfrm: clear trailing padding in build_polexpire() Steffen Klassert
2026-04-08 9:58 ` [PATCH 2/8] xfrm: account XFRMA_IF_ID in aevent size calculation Steffen Klassert
2026-04-08 9:58 ` [PATCH 3/8] xfrm: Wait for RCU readers during policy netns exit Steffen Klassert
2026-04-08 9:59 ` [PATCH 4/8] xfrm: hold dev ref until after transport_finish NF_HOOK Steffen Klassert
2026-04-08 9:59 ` [PATCH 5/8] xfrm: fix refcount leak in xfrm_migrate_policy_find Steffen Klassert
2026-04-08 9:59 ` Steffen Klassert [this message]
2026-04-08 9:59 ` [PATCH 7/8] xfrm_user: fix info leak in build_report() Steffen Klassert
2026-04-08 9:59 ` [PATCH 8/8] net: af_key: zero aligned sockaddr tail in PF_KEY exports Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408095925.253681-7-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox