[PATCH net] ipmr: prevent info-leak in pmr_cache

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net] ipmr: prevent info-leak in pmr_cache_report()
@ 2026-04-30  7:06 Eric Dumazet
  2026-04-30 13:10 ` Ido Schimmel
  2026-05-02  0:10 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: Eric Dumazet @ 2026-04-30  7:06 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski, Paolo Abeni
  Cc: Ido Schimmel, David Ahern, Simon Horman, netdev, eric.dumazet,
	Eric Dumazet, Yiming Qian

Yiming Qian reported:

<quote>
 ipmr_cache_report()` allocates a report skb with `alloc_skb(128,
 GFP_ATOMIC)` and appends a `struct igmphdr` using `skb_put()`. In the
 non-`IGMPMSG_WHOLEPKT` path it initializes only:

 - `igmp->type`
 - `igmp->code`

 but does not initialize:

 - `igmp->csum`
 - `igmp->group`

 Later, `igmpmsg_netlink_event()` copies the bytes after `sizeof(struct
 igmpmsg)` into the `IPMRA_CREPORT_PKT` netlink attribute and emits
 `RTM_NEWCACHEREPORT` on `RTNLGRP_IPV4_MROUTE_R`.

 As a result, 6 bytes of stale heap data from the skb head are
 disclosed to userspace.
</quote>

Let's use skb_put_zero() instead of skb_put() to fix this bug.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/ipv4/ipmr.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 2058ca860294b01385063555d0354b7a9a736118..05fb6eefe0beb3c45c7ec485692460b84cb332c4 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1112,11 +1112,12 @@ static int ipmr_cache_report(const struct mr_table *mrt,
 		msg->im_vif_hi = vifi >> 8;
 		ipv4_pktinfo_prepare(mroute_sk, pkt, false);
 		memcpy(skb->cb, pkt->cb, sizeof(skb->cb));
-		/* Add our header */
-		igmp = skb_put(skb, sizeof(struct igmphdr));
+		/* Add our header.
+		 * Note that code, csum and group fields are cleared.
+		 */
+		igmp = skb_put_zero(skb, sizeof(struct igmphdr));
 		igmp->type = assert;
 		msg->im_msgtype = assert;
-		igmp->code = 0;
 		ip_hdr(skb)->tot_len = htons(skb->len);	/* Fix the length */
 		skb->transport_header = skb->network_header;
 	}
-- 
2.54.0.545.g6539524ca2-goog


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] ipmr: prevent info-leak in pmr_cache_report()
  2026-04-30  7:06 [PATCH net] ipmr: prevent info-leak in pmr_cache_report() Eric Dumazet
@ 2026-04-30 13:10 ` Ido Schimmel
  2026-05-02  0:10 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: Ido Schimmel @ 2026-04-30 13:10 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, David Ahern,
	Simon Horman, netdev, eric.dumazet, Yiming Qian

Nit: s/pmr_cache_report/ipmr_cache_report/ in subject

On Thu, Apr 30, 2026 at 07:06:11AM +0000, Eric Dumazet wrote:
> Yiming Qian reported:
> 
> <quote>
>  ipmr_cache_report()` allocates a report skb with `alloc_skb(128,
>  GFP_ATOMIC)` and appends a `struct igmphdr` using `skb_put()`. In the
>  non-`IGMPMSG_WHOLEPKT` path it initializes only:
> 
>  - `igmp->type`
>  - `igmp->code`
> 
>  but does not initialize:
> 
>  - `igmp->csum`
>  - `igmp->group`
> 
>  Later, `igmpmsg_netlink_event()` copies the bytes after `sizeof(struct
>  igmpmsg)` into the `IPMRA_CREPORT_PKT` netlink attribute and emits
>  `RTM_NEWCACHEREPORT` on `RTNLGRP_IPV4_MROUTE_R`.
> 
>  As a result, 6 bytes of stale heap data from the skb head are
>  disclosed to userspace.
> </quote>
> 
> Let's use skb_put_zero() instead of skb_put() to fix this bug.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Yiming Qian <yimingqian591@gmail.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Ido Schimmel <idosch@nvidia.com>

FYI, I checked and ip6mr_cache_report() seems OK.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] ipmr: prevent info-leak in pmr_cache_report()
  2026-04-30  7:06 [PATCH net] ipmr: prevent info-leak in pmr_cache_report() Eric Dumazet
  2026-04-30 13:10 ` Ido Schimmel
@ 2026-05-02  0:10 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-05-02  0:10 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: davem, kuba, pabeni, idosch, dsahern, horms, netdev, eric.dumazet,
	yimingqian591

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu, 30 Apr 2026 07:06:11 +0000 you wrote:
> Yiming Qian reported:
> 
> <quote>
>  ipmr_cache_report()` allocates a report skb with `alloc_skb(128,
>  GFP_ATOMIC)` and appends a `struct igmphdr` using `skb_put()`. In the
>  non-`IGMPMSG_WHOLEPKT` path it initializes only:
> 
> [...]

Here is the summary with links:
  - [net] ipmr: prevent info-leak in pmr_cache_report()
    https://git.kernel.org/netdev/net/c/4f34002e2e37

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-02  0:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-30  7:06 [PATCH net] ipmr: prevent info-leak in pmr_cache_report() Eric Dumazet
2026-04-30 13:10 ` Ido Schimmel
2026-05-02  0:10 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox