From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 530A02DFA5B for ; Thu, 30 Apr 2026 15:26:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777562815; cv=none; b=ci61aXumGaVOIPEGIVFcw/wEWSHieKcTHQ7+3J9+4aUSjVGq9uI3nai67zgrgVBcABcPDorzuIA2rumHql1wt2eLZSHCiX//GePStrdl/w8UyJU9No2hlqbuNyYgymT5cKVViGP7GuEDiVqgdWMEjrtJybHM0lHx2jYC67gFs+k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777562815; c=relaxed/simple; bh=z0DYBvb+LZUpxretZCjDv+k9yn01sF1apvq6+r/SDyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=P7DLlQ6Sg3R2ixPwLicRmpS6z/7lyhrBNCyqqXfbrjdAr0W35QnBtt+DKZjjPF1nlEwQOLILqGRgu+Mexc8A9rETTu5lKO7gXjHHral/y3hezp2wTsICAUVWeQwylN7tpbdikF+KXXm/JkNunOITDv4p6OT/s2ZbKoHFJvpv97I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oAHGY0ZM; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oAHGY0ZM" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-488d2079582so11229165e9.2 for ; Thu, 30 Apr 2026 08:26:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777562812; x=1778167612; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=oAHGY0ZMUcPi/iwy915tcI2O60jUooipymzZNyQ1WS+f5D6udHxif9elFZhpd/pP64 kYbsbjD9mde6LUYomaTn/kx4k5LP26s4x2/mgEalWGXtVaQNZRv3SERQcL38TtcGwdG3 Kt8jS9sOh3bB1jyeSfmSvWupssjJhTaEr1m2plnW0JaCx8Mj/Jo+uuMF4nJatUE3IRCl F6L+ne2+M97Yu7XdaSkQ7i7vtdSkOO4CzP0vxWg9e97d1stUmGSXAJ8syq6Bk/H9Ki9z knpFUrv70+Bf6HwnuNardnq4TVzJZbG0sc0WGhua8Ic16GOYokNw8puGMpDoXDAvcDPn VAEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777562812; x=1778167612; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=MflByeiWNFlMjgl6nYozxRRYuW7aw/DvG9h5ywmvWW0cQblGZKA5psC55mcxUv0fA4 WumTjjQT1OnIoABLTlUx6FMeZ6SrAj4TKNiHWFiUHnMh8HlZXt5d9NpTWo09hbV334j7 Mp7I3zHLqGUEyDod+5byhyvM0YG/hxieKMb5Jmf6qSj8zCtwou8fX2AL1QIBtHxP1Rvc nzvlevLlB01PbkqE+g0MB9OFOtWp1r9ihueVKiiYdUKg8QfGPwNh/i2xNkx+uo4YQQpa u6rYSyYMwE2AEFh+4mBQL7rFYZ1AZ46tX+RY+5FHir0oL9e16zviggpjGRe11C1tR87z xBYQ== X-Gm-Message-State: AOJu0YymDQoTk1pdvnGedXPR50EucAdnAYUTkcyZMmuLW0uxio3As1rV 2YVQ1G6KmgJshzywImO9qAGa/0Orc0IDrRCmrkqnuiXDZbC8pgsD7/zJzvF7clbg13VgEg== X-Gm-Gg: AeBDieurNrtkAMJo2JOCWwglh01PfEI0UYppkC7jhSRqbCrt0RTMAMQ47xNckZkOmc3 Hs4LM6yctrxoPEoscz7Wcpaq16TCmxLKsSHnspynqVLNq2bARWxo1fCOp0xYg4DNDPfJcgl649i SZD39IHXLYzFnIcqR987927FBu9qOuphGJfpB6imhJ7E1P5kkyuiKL6M82BMCDwGkbu10AC6oF4 Z37m64VI1Ao3Ft6WkTV7VLbXR1iOa8ze7AJdg3NZ4XaOnq0Wy3fZjItruxJDimVcbqBQ+HX1QBO p6kxpEEEaWic0fSzh8DZ6xnJtIA6B7SYXwrfrZvMJsQA9Nt0wrsRhy9TkVWFOvepewzePe0svfM 7CJyM8bgPRyIO/f+JO4/zXv/lSDiA7OYjp0kRop1bBY8gU+iMw1d0698fJ5Ibdg1uWF5vmzQphW +ope7dTwkWZzDWccL128h7KPLd37HoAzF3fUnNF++Xr1sY/7c2OagnzVDu0u54iIGbcKQBdCQHt 7GAnL8M4GmG199tiO+qptMr/o6jvyiUUTDJfg== X-Received: by 2002:a05:600c:a408:b0:48a:58ae:992f with SMTP id 5b1f17b1804b1-48a84446302mr43617965e9.16.1777562811753; Thu, 30 Apr 2026 08:26:51 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:f9d2:9c9e:9a42:5d91]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a82301ad1sm119212485e9.9.2026.04.30.08.26.50 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 08:26:51 -0700 (PDT) From: Kai Zen To: netdev@vger.kernel.org Cc: stable@vger.kernel.org, edumazet@google.com, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, gregkh@linuxfoundation.org Subject: [PATCH net v3] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Date: Thu, 30 Apr 2026 18:26:48 +0300 Message-ID: <3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function. Fixes: 75345f888f70 ("ipoib: show VF broadcast address") Cc: stable@vger.kernel.org Signed-off-by: Kai Zen --- net/core/rtnetlink.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index b613bb6e0..df042da42 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1572,6 +1572,7 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, port_guid.vf = ivi.vf; memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac)); + memset(&vf_broadcast, 0, sizeof(vf_broadcast)); memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); vf_vlan.vlan = ivi.vlan; vf_vlan.qos = ivi.qos; -- 2.43.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8233D33C513 for ; Thu, 30 Apr 2026 15:40:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563657; cv=none; b=DVJglCC6dLod7dQmQ5GRsnB/wibNyIYlSn82ccAZCMmzidS89+2dSoi9RPywwSl5/E6bccO/pnF1bxUkDNeDM3upPyIxjXdh5ImVn7659mI4vpPuaeVaGPjf8LL92nZwVQncKY7Ej5U8yvIFANWnJIAj5r3FLEx0FwMNVDu9Fkk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563657; c=relaxed/simple; bh=z0DYBvb+LZUpxretZCjDv+k9yn01sF1apvq6+r/SDyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rXFy08IjFnNuUEuw3qyPLR3oTD5tKf8wI8ltUtIU6mWDY/jyl8uka5ec+aGpWs49O86CZArA0+6G9kGYy7HQ5grGogWH4nEtQu0h8Wu5DfMnBWeRKzcFvQtakzCvWXMM08unF7DV5QCNN7W4fJNr+ymkP6763ZqufNECn4C6oX8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dJJuuIUT; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dJJuuIUT" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-488d2079582so11435975e9.2 for ; Thu, 30 Apr 2026 08:40:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777563654; x=1778168454; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=dJJuuIUT+cTodLhKdLcHNOczbeJHwb0K63slp0RTXkUY6t3dlXd/UOl/jbx/yKOmRS fr1QjWcBacT3xIr+9W16NyM69ACtUunD3r3PfJceojrqmblCGmuPvntIahKhNValqesw tGO6QYp1LBiYOKvEsacq7ISgKs4JNYmafY7GeVHcrZvBVndeKq8CpAM2/ch4G3kqSFaF Xd2n/8XC1ZDKXKSj/VSD8sMVOx5ttAjYRrRCNNPZmhrJSl9PxYirKrDyAzWbFPzYNOqu D/rKls+pDfn+L8QcFO7bCYQ7FhvHxGKA9uytJZBu9VVeQ/QSMU63Dz9p0B2/vVGnxSr4 q4dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777563654; x=1778168454; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=kEWuUjEZNyiJ4FZnL7X07yZMHGoF7FtLdZ4pUGKL7xBzdWIPWf7Jjg04W0qgolld0w A+Kq2cCEyntjvd7nNqjwhS70cFGrwKWWoxtm7soKEd9WGdRDiYpbbUizDFvP7xQFejxw cdgFsRFv7iY2zPcVSlkMC/xLgWX2laBeUx8kuYEZ5ezWanaQMigLmAEswN4RnGUEX8RD LCQcRfY5N+2/fWzScuKG259AXGNc5RgU3c2229TxCEbFQVmrJjXz0ufW3obrDgDcAqVu NqiilOLIYU7RwvshgSoLEAJd1UQdssNE1MM9cH6gcftwPl3hJS/4DcZIFD4vhwiZHi/v dVwA== X-Gm-Message-State: AOJu0Ywfcy8t65/xTQPkUa7CaH1YmuuVUC7fmj0Dk0CFZAKX8snE8B9J LsVKIZ9JBXdfR7U64mzNqVist6iwDJuQB7Sh7R5J2dZljiy1Y3a+dOvUYcn7egWMN8CPJQ== X-Gm-Gg: AeBDievblAbC9Jm4FR8QpTkNGqslDqfcDgHetyW+PDUmNTuIzMnIvbbXAybgs3kwqMo etTJNXcVWPlIrii1UcKKEx2POnimZPON7tLYLUIZfj9tAQAid0+MGWpEXq8dVCjWFYDcyGvpdAS DTAdBSsz1DLKLqoyN//ywcRIVmtMx3JSDH6npDmW2NaRcvq6faYyf+JhZKOFkYsHkjBQkHbn2n1 j0biimr2Bwjg+XWJ8H/U30WedvhzzZJ02Xe2g+FrA8UdLRnrUpAXLYZq4seKbDtnZ4WIRMEYy0A 1TMhed3SyUDd8uNuFGoLqXdDfNzoTeQxVab3ZEsv03dI3D34TLGltXnoGSd5Y3yhmdtTjpWoqkb rZpAFtp4teL2tD51z36HgEfMiAFjzIIsMCnOFMrOpGHL5g8e8woW2tTIcWsevByRVwbkZFyqcqM ZJ9t57CgW1wik5qKkV/HwssqYLNbdxRPraG1xvrEau/BMXMlt/FqkL+IM9QYaCff7Fqp7XvmTYa 8B25hNLo0vo7EaKMiN6myr2mTXJBO8bbp+TZg== X-Received: by 2002:a05:600c:190f:b0:48a:563c:c8c5 with SMTP id 5b1f17b1804b1-48a83d6ebe5mr57909705e9.8.1777563653525; Thu, 30 Apr 2026 08:40:53 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:a0c9:1d35:8283:f96b]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a7b901a15sm96960055e9.1.2026.04.30.08.40.52 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 08:40:53 -0700 (PDT) From: Kai Zen To: netdev@vger.kernel.org Cc: stable@vger.kernel.org, edumazet@google.com, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, gregkh@linuxfoundation.org Subject: [PATCH net v3] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Date: Thu, 30 Apr 2026 18:40:44 +0300 Message-ID: <3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <20260430154044.EmH3-ZiXVu-b71Ro45ymXrp-NkTYYz3jpDGE0KE7V24@z> rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function. Fixes: 75345f888f70 ("ipoib: show VF broadcast address") Cc: stable@vger.kernel.org Signed-off-by: Kai Zen --- net/core/rtnetlink.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index b613bb6e0..df042da42 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1572,6 +1572,7 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, port_guid.vf = ivi.vf; memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac)); + memset(&vf_broadcast, 0, sizeof(vf_broadcast)); memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); vf_vlan.vlan = ivi.vlan; vf_vlan.qos = ivi.qos; -- 2.43.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 006A533D4E9 for ; Thu, 30 Apr 2026 15:41:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563711; cv=none; b=Mi4lI+1G3b+jopAWeKdm3HDfu+zeakxzdwcHHBhCtdntI9gnySqjoM2lrlEGqNaKQIJ+vUNthosCW4/H+O9v/HkQ7pe/vy5CkdpY2Bqz5kx4kLISMnTlA9r7fH4ybn9Fo01FyLAFTtko91oLn2NB15f1lJ8iWHzSsocPUoCx/cQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563711; c=relaxed/simple; bh=z0DYBvb+LZUpxretZCjDv+k9yn01sF1apvq6+r/SDyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lZwsxbp59DeBRXRmgdPfrpbG88ClZg3B/QrChcKoxakU7vAzoOQBrhq7cQzIqy8MLr6zEo6RVohIQvvs7t5O3ycU1SLZ+JWaNySpIiEvXfxyJKItfTz8PgcRM1EHHpHQoyz8sk91ElGbxf+k+0VDsCF6cdaxAsnU6yrAWhsKh5U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TkmxXSXu; arc=none smtp.client-ip=209.85.221.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TkmxXSXu" Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-43d77f60944so769151f8f.3 for ; Thu, 30 Apr 2026 08:41:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777563708; x=1778168508; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=TkmxXSXu+XYTyV11z+SNTS4rOiC4ZBzszwaHLhyZoTCWBlZXex94X8gXqiQImNqbWp UQ1yCdi4Nxf0PZS2YOFhu/mnH9bs3IjkKHzhOCMeXkMqKlq3Ekuhl+l/QRZWRpf1IMGK baUYLi4FwlrQ48MF943hGL5w+B1SWsmrILJtfVMp94y/UFNbFjgETcDwvDex+D19qR4i Cdc7CfguGOtgvg7D8STowTlJsfRo26wnq5R4q7B5cS4LeJ0gBZSznd3Giz3rweZBp2hM FYoJahpMvPI0aIazx1127YRN733Z0ZIGvoXtpt+XGJp2y0NaCmrhlj+VxY60Vte/4ygg fNpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777563708; x=1778168508; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=p/KmVHoqqKS0mYK5dTo6SU6evAv2AEwbrrlcr+xl43R1X5m/OEwUstguF2/c3gSFHQ KDaWgm5wZYlw8K6kR8cftglR1MJM1bS8hhvZuJxVPQ0dTjmtg6y8up1XzQgmOL4QWS1o dXNwYf4H9DP+WOrKG6njhdOmmGH4gHZIXN0A1JslHFOwIeC8vazz6wHzX+rvY15Y3DIr XgATdoS7IrC4fB43rb99Ac2rTYtwnvu/bjPIp7y2tTePGcpd58QK/2QoT1iuPFwdokxa lsPHtANe0kQuT5j/nWllRo8TbHDZCiPXDSszYFIpRUZNkdNmpbJGLGtxXl8VOZUkoiEV jHjA== X-Gm-Message-State: AOJu0YzQMgX5ocFTpp19vD1A8PLdeQcHHLOygcnQpsl8LE06g/Itbvus AqRa1o7lPUmp7ng2r6EYcN9oS3ToImoEdokdKz1qjQitBhAUWCj0yA2o2OikIDC3p2gXSw== X-Gm-Gg: AeBDiesj85Q3xjbSKealsgWh1tAo+BZDHpf6K8jrEksxY4CqRleqs+QaDzFXhhewZTd 0PtO+4RHchMvoIWEa6/aouDAMOeqSgqPzSTWA1BPH6LIg2yvgW+Pka2ivmqWuV/DzOTmhIZ51ry jl0M91K4m+edcYgFWq4U/Y5StG26j8yEL9Aw4i9NoTThA1nEBn+k/rIsSlegIJH9UewEDePjXiW 097SK7P6OlirzsntAaNlaQgaEoenGJkxjqInXFjwjRW6d5bDNzmvfwhTVUGCoj/7bxhdkEwSnlF AL/e+Vi/F5bpMwNXkYHFmjcH22rXzh9Y+kaoUOVbg0cxfMsrUZgo5iN/DRgPqeCywlIp/LJ4R5/ FyNrVKEESzpa3Mtzmz2adQhlJEpuTK1sy/1U1kVscMpjpdKyKIIz0EOrmawKlJlBSWL5Y+2qABe 1CeY16MNM6FMuD01hXc2pcYV++Yb2WOz1++loRWWK7Z6jN/p27witF+oAr/CbdUQja6ZKmw81A2 b1EEx/38lXV68HeuhsU/cJjj3A9/Ok+dvXfyg== X-Received: by 2002:a05:6000:184e:b0:43d:7d24:b510 with SMTP id ffacd0b85a97d-4493e5a7a64mr6025860f8f.22.1777563707827; Thu, 30 Apr 2026 08:41:47 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:a0c9:1d35:8283:f96b]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-449c576d0a2sm3596521f8f.31.2026.04.30.08.41.46 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 08:41:47 -0700 (PDT) From: Kai Zen To: netdev@vger.kernel.org Cc: stable@vger.kernel.org, edumazet@google.com, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, gregkh@linuxfoundation.org Subject: [PATCH net v3] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Date: Thu, 30 Apr 2026 18:41:35 +0300 Message-ID: <3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <20260430154135.htPzHX3cymuH_RQLVSUKVBWbq5mc2f0eRrrDCowvqL0@z> rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function. Fixes: 75345f888f70 ("ipoib: show VF broadcast address") Cc: stable@vger.kernel.org Signed-off-by: Kai Zen --- net/core/rtnetlink.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index b613bb6e0..df042da42 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1572,6 +1572,7 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, port_guid.vf = ivi.vf; memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac)); + memset(&vf_broadcast, 0, sizeof(vf_broadcast)); memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); vf_vlan.vlan = ivi.vlan; vf_vlan.qos = ivi.qos; -- 2.43.0