From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 7/8] xfrm_user: fix info leak in build_report()
Date: Wed, 8 Apr 2026 11:59:03 +0200 [thread overview]
Message-ID: <20260408095925.253681-8-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20260408095925.253681-1-steffen.klassert@secunet.com>
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
struct xfrm_user_report is a __u8 proto field followed by a struct
xfrm_selector which means there is three "empty" bytes of padding, but
the padding is never zeroed before copying to userspace. Fix that up by
zeroing the structure before setting individual member variables.
Cc: stable <stable@kernel.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Simon Horman <horms@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index baa43c325da2..d56450f61669 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -4125,6 +4125,7 @@ static int build_report(struct sk_buff *skb, u8 proto,
return -EMSGSIZE;
ur = nlmsg_data(nlh);
+ memset(ur, 0, sizeof(*ur));
ur->proto = proto;
memcpy(&ur->sel, sel, sizeof(ur->sel));
--
2.43.0
next prev parent reply other threads:[~2026-04-08 9:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 9:58 [PATCH 0/8] pull request (net): ipsec 2026-04-08 Steffen Klassert
2026-04-08 9:58 ` [PATCH 1/8] xfrm: clear trailing padding in build_polexpire() Steffen Klassert
2026-04-08 9:58 ` [PATCH 2/8] xfrm: account XFRMA_IF_ID in aevent size calculation Steffen Klassert
2026-04-08 9:58 ` [PATCH 3/8] xfrm: Wait for RCU readers during policy netns exit Steffen Klassert
2026-04-08 9:59 ` [PATCH 4/8] xfrm: hold dev ref until after transport_finish NF_HOOK Steffen Klassert
2026-04-08 9:59 ` [PATCH 5/8] xfrm: fix refcount leak in xfrm_migrate_policy_find Steffen Klassert
2026-04-08 9:59 ` [PATCH 6/8] xfrm_user: fix info leak in build_mapping() Steffen Klassert
2026-04-08 9:59 ` Steffen Klassert [this message]
2026-04-08 9:59 ` [PATCH 8/8] net: af_key: zero aligned sockaddr tail in PF_KEY exports Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408095925.253681-8-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox