* [PATCH] sctp: diag: fix uninitialized stack leak via INET_DIAG_LOCALS/PEERS
@ 2026-07-15 3:35 MingXuan
2026-07-15 16:15 ` Xin Long
0 siblings, 1 reply; 2+ messages in thread
From: MingXuan @ 2026-07-15 3:35 UTC (permalink / raw)
To: Marcelo Ricardo Leitner, Xin Long
Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, linux-sctp, netdev, linux-kernel, MingXuan, stable
inet_diag_msg_sctpladdrs_fill() copies sizeof(union sctp_addr) (28 bytes,
the size of sockaddr_in6) from each sctp_sockaddr_entry.a into the netlink
INET_DIAG_LOCALS attribute and then only zeroes the bytes from offset 28 to
sizeof(sockaddr_storage). The same pattern is used by
inet_diag_msg_sctpaddrs_fill() for INET_DIAG_PEERS.
The IPv4 address-filling helpers sctp_v4_from_addr_param() and
sctp_v4_from_skb() only initialize the sockaddr_in portion (16 bytes) of the
union sctp_addr; the trailing 12 bytes (offset 16..27, the sockaddr_in6-only
region) are left uninitialized. Those bytes are propagated verbatim through
sctp_add_bind_addr() (which copies sizeof(union sctp_addr)=28 bytes) and then
copied straight to userspace by the diag fill functions, leaking 12 bytes of
kernel stack residue per local/peer address to any process that can issue a
SOCK_DIAG_BY_FAMILY dump for IPPROTO_SCTP.
Fix it by computing the actually-initialized length of the address from its
sa_family (struct sockaddr_in for AF_INET, the whole union otherwise) and
copying only that many bytes into an already-zeroed sockaddr_storage slot, so
the uninitialized tail is never read and never reaches userspace.
Fixes: 8f840e47f190cbe61a96945c13e9551048d42cef ("sctp: add the sctp_diag.c file")
Cc: stable@vger.kernel.org
Signed-off-by: MingXuan <omeux327@gmail.com>
---
net/sctp/diag.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/net/sctp/diag.c b/net/sctp/diag.c
index d758f5c3e06e..12557e924cc2 100644
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -85,8 +85,12 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
info = nla_data(attr);
rcu_read_lock();
list_for_each_entry_rcu(laddr, address_list, list) {
- memcpy(info, &laddr->a, sizeof(laddr->a));
- memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
+ size_t addr_len = laddr->a.sa.sa_family == AF_INET ?
+ sizeof(struct sockaddr_in) :
+ sizeof(struct sockaddr_in6);
+
+ memset(info, 0, addrlen);
+ memcpy(info, &laddr->a, addr_len);
info += addrlen;
if (!--addrcnt)
@@ -113,9 +117,12 @@ static int inet_diag_msg_sctpaddrs_fill(struct sk_buff *skb,
info = nla_data(attr);
list_for_each_entry(from, &asoc->peer.transport_addr_list,
transports) {
- memcpy(info, &from->ipaddr, sizeof(from->ipaddr));
- memset(info + sizeof(from->ipaddr), 0,
- addrlen - sizeof(from->ipaddr));
+ size_t addr_len = from->ipaddr.sa.sa_family == AF_INET ?
+ sizeof(struct sockaddr_in) :
+ sizeof(struct sockaddr_in6);
+
+ memset(info, 0, addrlen);
+ memcpy(info, &from->ipaddr, addr_len);
info += addrlen;
}
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] sctp: diag: fix uninitialized stack leak via INET_DIAG_LOCALS/PEERS
2026-07-15 3:35 [PATCH] sctp: diag: fix uninitialized stack leak via INET_DIAG_LOCALS/PEERS MingXuan
@ 2026-07-15 16:15 ` Xin Long
0 siblings, 0 replies; 2+ messages in thread
From: Xin Long @ 2026-07-15 16:15 UTC (permalink / raw)
To: MingXuan
Cc: Marcelo Ricardo Leitner, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, linux-sctp, netdev,
linux-kernel, stable
On Tue, Jul 14, 2026 at 11:35 PM MingXuan <omeux327@gmail.com> wrote:
>
> inet_diag_msg_sctpladdrs_fill() copies sizeof(union sctp_addr) (28 bytes,
> the size of sockaddr_in6) from each sctp_sockaddr_entry.a into the netlink
> INET_DIAG_LOCALS attribute and then only zeroes the bytes from offset 28 to
> sizeof(sockaddr_storage). The same pattern is used by
> inet_diag_msg_sctpaddrs_fill() for INET_DIAG_PEERS.
>
> The IPv4 address-filling helpers sctp_v4_from_addr_param() and
> sctp_v4_from_skb() only initialize the sockaddr_in portion (16 bytes) of the
> union sctp_addr; the trailing 12 bytes (offset 16..27, the sockaddr_in6-only
> region) are left uninitialized. Those bytes are propagated verbatim through
> sctp_add_bind_addr() (which copies sizeof(union sctp_addr)=28 bytes) and then
> copied straight to userspace by the diag fill functions, leaking 12 bytes of
> kernel stack residue per local/peer address to any process that can issue a
> SOCK_DIAG_BY_FAMILY dump for IPPROTO_SCTP.
>
> Fix it by computing the actually-initialized length of the address from its
> sa_family (struct sockaddr_in for AF_INET, the whole union otherwise) and
> copying only that many bytes into an already-zeroed sockaddr_storage slot, so
> the uninitialized tail is never read and never reaches userspace.
>
> Fixes: 8f840e47f190cbe61a96945c13e9551048d42cef ("sctp: add the sctp_diag.c file")
> Cc: stable@vger.kernel.org
> Signed-off-by: MingXuan <omeux327@gmail.com>
> ---
> net/sctp/diag.c | 17 ++++++++++++-----
> 1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/net/sctp/diag.c b/net/sctp/diag.c
> index d758f5c3e06e..12557e924cc2 100644
> --- a/net/sctp/diag.c
> +++ b/net/sctp/diag.c
> @@ -85,8 +85,12 @@ static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
> info = nla_data(attr);
> rcu_read_lock();
> list_for_each_entry_rcu(laddr, address_list, list) {
> - memcpy(info, &laddr->a, sizeof(laddr->a));
> - memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
> + size_t addr_len = laddr->a.sa.sa_family == AF_INET ?
> + sizeof(struct sockaddr_in) :
> + sizeof(struct sockaddr_in6);
> +
> + memset(info, 0, addrlen);
> + memcpy(info, &laddr->a, addr_len);
> info += addrlen;
>
> if (!--addrcnt)
> @@ -113,9 +117,12 @@ static int inet_diag_msg_sctpaddrs_fill(struct sk_buff *skb,
> info = nla_data(attr);
> list_for_each_entry(from, &asoc->peer.transport_addr_list,
> transports) {
> - memcpy(info, &from->ipaddr, sizeof(from->ipaddr));
> - memset(info + sizeof(from->ipaddr), 0,
> - addrlen - sizeof(from->ipaddr));
> + size_t addr_len = from->ipaddr.sa.sa_family == AF_INET ?
> + sizeof(struct sockaddr_in) :
> + sizeof(struct sockaddr_in6);
> +
> + memset(info, 0, addrlen);
> + memcpy(info, &from->ipaddr, addr_len);
> info += addrlen;
> }
>
> --
> 2.50.1 (Apple Git-155)
>
Acked-by: Xin Long <lucien.xin@gmail.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-15 16:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-15 3:35 [PATCH] sctp: diag: fix uninitialized stack leak via INET_DIAG_LOCALS/PEERS MingXuan
2026-07-15 16:15 ` Xin Long
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox