From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA18A3B4E88 for ; Wed, 8 Apr 2026 09:59:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775642392; cv=none; b=D9O+vtpPby12/s9cAEA6yF0mt64BsEksT2/XGian1YohTCeMxl90OGLBFRVarZE4Ua7HrFiSAgtwczaEo9HooFTxkzG7rSPFfck6uBChdB10dQSVXLs9CIcGfJGHj70C8TA1lsUQgeGhJyRLq3k3jM5ZNhLjRGfXdGBPM8kE/Tk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775642392; c=relaxed/simple; bh=bDxOZ0zM5+klnauIdYg95u9ZO2WJMcPgdcQOPoZXDp4=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=D8Ha9TCGwW8HkCpjHYF5riYuOXONK1ui8fDhAqSI+Uq68TvYVyVb7ZVWvYINMuFyZbmpNRezZU5JMUmkmKTrBp9UxcL2HVj3KgNukFnrLbWLCIFwiU+2kn8Y18iTvyRU+2aCgf2uQAniVjHD0orGswXFzrnB1d2gCU5vPR4fIgE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=dBrkl3R/; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="dBrkl3R/" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id BDC22207C1; Wed, 8 Apr 2026 11:59:37 +0200 (CEST) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wRt0Gh3D5sSB; Wed, 8 Apr 2026 11:59:37 +0200 (CEST) Received: from EXCH-01.secunet.de (rl1.secunet.de [10.32.0.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id 2F914207E4; Wed, 8 Apr 2026 11:59:37 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com 2F914207E4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1775642377; bh=QQEx/TeDulHabv6WxyTGUJZWBZKu6glfPpJRL95T2N8=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=dBrkl3R/FoqqWdqd3DTx70OSKPw7i/XPzwkv7/X5JWu48eymJwGMU2Cpj8LYV9Ozx SVJuiiTn+5ZdD/bqUUsORW2Z42cm7psrYmco7Y5InUGz0siVWjBM4tQKZxg6nOmb+b PXLiB3tL0SxeDVHgL2L9etFGMDsEoN/VsthFjgJDR7lAoH8mHKf07w/zXUNEQ70lkU alkGmATZgB6KK0sXy07hiEIkUkR7CFyZDxk+kwcMuLdKq4c1WNPXLUIKVl02qmhtBr IjYjuvCRUDeS6LCl5p9GpDDTyuCiQa/Iup+gHKRpk/IcC3xqZ0jFnTbrOtuhXvQmyi VCl2QlyQapKHg== Received: from secunet.com (10.182.7.193) by EXCH-01.secunet.de (10.32.0.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Wed, 8 Apr 2026 11:59:36 +0200 Received: (nullmailer pid 257059 invoked by uid 1000); Wed, 08 Apr 2026 09:59:28 -0000 From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 6/8] xfrm_user: fix info leak in build_mapping() Date: Wed, 8 Apr 2026 11:59:02 +0200 Message-ID: <20260408095925.253681-7-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260408095925.253681-1-steffen.klassert@secunet.com> References: <20260408095925.253681-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: EXCH-01.secunet.de (10.32.0.171) To EXCH-01.secunet.de (10.32.0.171) From: Greg Kroah-Hartman struct xfrm_usersa_id has a one-byte padding hole after the proto field, which ends up never getting set to zero before copying out to userspace. Fix that up by zeroing out the whole structure before setting individual variables. Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink") Cc: Steffen Klassert Cc: Herbert Xu Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Simon Horman Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_user.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index a779590c985a..baa43c325da2 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -4172,6 +4172,7 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x, um = nlmsg_data(nlh); + memset(&um->id, 0, sizeof(um->id)); memcpy(&um->id.daddr, &x->id.daddr, sizeof(um->id.daddr)); um->id.spi = x->id.spi; um->id.family = x->props.family; -- 2.43.0