* [PATCH v1] VSOCK: fix Information Leak in virtio_transport_shutdown()
@ 2025-08-05 5:10 bsdhenrymartin
2025-08-05 6:55 ` Wang Liang
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: bsdhenrymartin @ 2025-08-05 5:10 UTC (permalink / raw)
To: huntazhang, jitxie, landonsun, stefanha, sgarzare, mst, jasowang,
xuanzhuo, eperezma, davem, edumazet, kuba, pabeni, horms
Cc: kvm, virtualization, netdev, linux-kernel, bsdhenrymartin,
Henry Martin, TCS Robot
From: Henry Martin <bsdhenryma@tencent.com>
The `struct virtio_vsock_pkt_info` is declared on the stack but only
partially initialized (only `op`, `flags`, and `vsk` are set)
The uninitialized fields (including `pkt_len`, `remote_cid`,
`remote_port`, etc.) contain residual kernel stack data. This structure
is passed to `virtio_transport_send_pkt_info()`, which uses the
uninitialized fields.
Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
Reported-by: TCS Robot <tcs_robot@tencent.com>
Signed-off-by: Henry Martin <bsdhenryma@tencent.com>
---
net/vmw_vsock/virtio_transport_common.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index fe92e5fa95b4..cb391a98d025 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1073,14 +1073,14 @@ EXPORT_SYMBOL_GPL(virtio_transport_connect);
int virtio_transport_shutdown(struct vsock_sock *vsk, int mode)
{
- struct virtio_vsock_pkt_info info = {
- .op = VIRTIO_VSOCK_OP_SHUTDOWN,
- .flags = (mode & RCV_SHUTDOWN ?
- VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
- (mode & SEND_SHUTDOWN ?
- VIRTIO_VSOCK_SHUTDOWN_SEND : 0),
- .vsk = vsk,
- };
+ struct virtio_vsock_pkt_info info = {0};
+
+ info.op = VIRTIO_VSOCK_OP_SHUTDOWN;
+ info.flags = (mode & RCV_SHUTDOWN ?
+ VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
+ (mode & SEND_SHUTDOWN ?
+ VIRTIO_VSOCK_SHUTDOWN_SEND : 0);
+ info.vsk = vsk;
return virtio_transport_send_pkt_info(vsk, &info);
}
--
2.41.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v1] VSOCK: fix Information Leak in virtio_transport_shutdown()
2025-08-05 5:10 [PATCH v1] VSOCK: fix Information Leak in virtio_transport_shutdown() bsdhenrymartin
@ 2025-08-05 6:55 ` Wang Liang
2025-08-05 7:00 ` Stefano Garzarella
2025-08-05 8:08 ` [PATCH] " Markus Elfring
2 siblings, 0 replies; 5+ messages in thread
From: Wang Liang @ 2025-08-05 6:55 UTC (permalink / raw)
To: bsdhenrymartin, huntazhang, jitxie, landonsun, stefanha, sgarzare,
mst, jasowang, xuanzhuo, eperezma, davem, edumazet, kuba, pabeni,
horms
Cc: kvm, virtualization, netdev, linux-kernel, Henry Martin,
TCS Robot
在 2025/8/5 13:10, bsdhenrymartin@gmail.com 写道:
> From: Henry Martin <bsdhenryma@tencent.com>
>
> The `struct virtio_vsock_pkt_info` is declared on the stack but only
> partially initialized (only `op`, `flags`, and `vsk` are set)
>
> The uninitialized fields (including `pkt_len`, `remote_cid`,
> `remote_port`, etc.) contain residual kernel stack data. This structure
> is passed to `virtio_transport_send_pkt_info()`, which uses the
> uninitialized fields.
>
> Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
> Reported-by: TCS Robot <tcs_robot@tencent.com>
> Signed-off-by: Henry Martin <bsdhenryma@tencent.com>
> ---
> net/vmw_vsock/virtio_transport_common.c | 15 +++++++--------
> 1 file changed, 7 insertions(+), 8 deletions(-)
>
> diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
> index fe92e5fa95b4..cb391a98d025 100644
> --- a/net/vmw_vsock/virtio_transport_common.c
> +++ b/net/vmw_vsock/virtio_transport_common.c
> @@ -1073,14 +1073,14 @@ EXPORT_SYMBOL_GPL(virtio_transport_connect);
>
> int virtio_transport_shutdown(struct vsock_sock *vsk, int mode)
> {
> - struct virtio_vsock_pkt_info info = {
> - .op = VIRTIO_VSOCK_OP_SHUTDOWN,
> - .flags = (mode & RCV_SHUTDOWN ?
> - VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
> - (mode & SEND_SHUTDOWN ?
> - VIRTIO_VSOCK_SHUTDOWN_SEND : 0),
> - .vsk = vsk,
> - };
> + struct virtio_vsock_pkt_info info = {0};
> +
> + info.op = VIRTIO_VSOCK_OP_SHUTDOWN;
> + info.flags = (mode & RCV_SHUTDOWN ?
> + VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
> + (mode & SEND_SHUTDOWN ?
> + VIRTIO_VSOCK_SHUTDOWN_SEND : 0);
> + info.vsk = vsk;
>
> return virtio_transport_send_pkt_info(vsk, &info);
> }
No. The unassigned members (including `pkt_len`, `remote_cid`,
`remote_port`, etc.) will be automatically initialized to 0?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1] VSOCK: fix Information Leak in virtio_transport_shutdown()
2025-08-05 5:10 [PATCH v1] VSOCK: fix Information Leak in virtio_transport_shutdown() bsdhenrymartin
2025-08-05 6:55 ` Wang Liang
@ 2025-08-05 7:00 ` Stefano Garzarella
2025-08-05 8:53 ` henry martin
2025-08-05 8:08 ` [PATCH] " Markus Elfring
2 siblings, 1 reply; 5+ messages in thread
From: Stefano Garzarella @ 2025-08-05 7:00 UTC (permalink / raw)
To: bsdhenrymartin
Cc: huntazhang, jitxie, landonsun, stefanha, mst, jasowang, xuanzhuo,
eperezma, davem, edumazet, kuba, pabeni, horms, kvm,
virtualization, netdev, linux-kernel, Henry Martin, TCS Robot
On Tue, Aug 05, 2025 at 01:10:09PM +0800, bsdhenrymartin@gmail.com wrote:
>From: Henry Martin <bsdhenryma@tencent.com>
>
>The `struct virtio_vsock_pkt_info` is declared on the stack but only
>partially initialized (only `op`, `flags`, and `vsk` are set)
>
>The uninitialized fields (including `pkt_len`, `remote_cid`,
>`remote_port`, etc.) contain residual kernel stack data. This structure
>is passed to `virtio_transport_send_pkt_info()`, which uses the
>uninitialized fields.
>
>Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
>Reported-by: TCS Robot <tcs_robot@tencent.com>
>Signed-off-by: Henry Martin <bsdhenryma@tencent.com>
>---
> net/vmw_vsock/virtio_transport_common.c | 15 +++++++--------
> 1 file changed, 7 insertions(+), 8 deletions(-)
>
>diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
>index fe92e5fa95b4..cb391a98d025 100644
>--- a/net/vmw_vsock/virtio_transport_common.c
>+++ b/net/vmw_vsock/virtio_transport_common.c
>@@ -1073,14 +1073,14 @@ EXPORT_SYMBOL_GPL(virtio_transport_connect);
>
> int virtio_transport_shutdown(struct vsock_sock *vsk, int mode)
> {
>- struct virtio_vsock_pkt_info info = {
>- .op = VIRTIO_VSOCK_OP_SHUTDOWN,
>- .flags = (mode & RCV_SHUTDOWN ?
>- VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
>- (mode & SEND_SHUTDOWN ?
>- VIRTIO_VSOCK_SHUTDOWN_SEND : 0),
>- .vsk = vsk,
>- };
The compiler sets all other fields to 0, so I don't understand what this
patch solves.
Can you give an example of the problem you found?
Furthermore, even if this fix were valid, why do it for just one
function?
Stefano
>+ struct virtio_vsock_pkt_info info = {0};
>+
>+ info.op = VIRTIO_VSOCK_OP_SHUTDOWN;
>+ info.flags = (mode & RCV_SHUTDOWN ?
>+ VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
>+ (mode & SEND_SHUTDOWN ?
>+ VIRTIO_VSOCK_SHUTDOWN_SEND : 0);
>+ info.vsk = vsk;
>
> return virtio_transport_send_pkt_info(vsk, &info);
> }
>--
>2.41.3
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] VSOCK: fix Information Leak in virtio_transport_shutdown()
2025-08-05 5:10 [PATCH v1] VSOCK: fix Information Leak in virtio_transport_shutdown() bsdhenrymartin
2025-08-05 6:55 ` Wang Liang
2025-08-05 7:00 ` Stefano Garzarella
@ 2025-08-05 8:08 ` Markus Elfring
2 siblings, 0 replies; 5+ messages in thread
From: Markus Elfring @ 2025-08-05 8:08 UTC (permalink / raw)
To: Henry Martin, virtualization, kvm, netdev
Cc: tcs_robot, LKML, David S. Miller, Eric Dumazet,
Eugenio Pérez, huntazhang, Jakub Kicinski, Jason Wang,
jitxie, landonsun, Michael S. Tsirkin, Paolo Abeni, Simon Horman,
Stefano Garzarella, Stefan Hajnoczi, Xuan Zhuo
> The `struct virtio_vsock_pkt_info` is declared on the stack but only
> partially initialized (only `op`, `flags`, and `vsk` are set)
…
See also once more:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.16#n94
Would a summary phrase like “Prevent information leak in virtio_transport_shutdown()”
be nicer?
Regards,
Markus
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1] VSOCK: fix Information Leak in virtio_transport_shutdown()
2025-08-05 7:00 ` Stefano Garzarella
@ 2025-08-05 8:53 ` henry martin
0 siblings, 0 replies; 5+ messages in thread
From: henry martin @ 2025-08-05 8:53 UTC (permalink / raw)
To: Stefano Garzarella
Cc: huntazhang, jitxie, landonsun, stefanha, mst, jasowang, xuanzhuo,
eperezma, davem, edumazet, kuba, pabeni, horms, kvm,
virtualization, netdev, linux-kernel, Henry Martin, TCS Robot
Thanks for the quick review. You're right—this patch is a false
positive. Modern compilers zero out the remaining fields, so the fix
isn't needed.
I'll be withdrawing all the patches and will ensure we more carefully
evaluate our robot's findings before submitting in the future.
Thanks for your help!
Stefano Garzarella <sgarzare@redhat.com> 于2025年8月5日周二 15:01写道:
>
> On Tue, Aug 05, 2025 at 01:10:09PM +0800, bsdhenrymartin@gmail.com wrote:
> >From: Henry Martin <bsdhenryma@tencent.com>
> >
> >The `struct virtio_vsock_pkt_info` is declared on the stack but only
> >partially initialized (only `op`, `flags`, and `vsk` are set)
> >
> >The uninitialized fields (including `pkt_len`, `remote_cid`,
> >`remote_port`, etc.) contain residual kernel stack data. This structure
> >is passed to `virtio_transport_send_pkt_info()`, which uses the
> >uninitialized fields.
> >
> >Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
> >Reported-by: TCS Robot <tcs_robot@tencent.com>
> >Signed-off-by: Henry Martin <bsdhenryma@tencent.com>
> >---
> > net/vmw_vsock/virtio_transport_common.c | 15 +++++++--------
> > 1 file changed, 7 insertions(+), 8 deletions(-)
> >
> >diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
> >index fe92e5fa95b4..cb391a98d025 100644
> >--- a/net/vmw_vsock/virtio_transport_common.c
> >+++ b/net/vmw_vsock/virtio_transport_common.c
> >@@ -1073,14 +1073,14 @@ EXPORT_SYMBOL_GPL(virtio_transport_connect);
> >
> > int virtio_transport_shutdown(struct vsock_sock *vsk, int mode)
> > {
> >- struct virtio_vsock_pkt_info info = {
> >- .op = VIRTIO_VSOCK_OP_SHUTDOWN,
> >- .flags = (mode & RCV_SHUTDOWN ?
> >- VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
> >- (mode & SEND_SHUTDOWN ?
> >- VIRTIO_VSOCK_SHUTDOWN_SEND : 0),
> >- .vsk = vsk,
> >- };
>
> The compiler sets all other fields to 0, so I don't understand what this
> patch solves.
> Can you give an example of the problem you found?
>
> Furthermore, even if this fix were valid, why do it for just one
> function?
>
> Stefano
>
> >+ struct virtio_vsock_pkt_info info = {0};
> >+
> >+ info.op = VIRTIO_VSOCK_OP_SHUTDOWN;
> >+ info.flags = (mode & RCV_SHUTDOWN ?
> >+ VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
> >+ (mode & SEND_SHUTDOWN ?
> >+ VIRTIO_VSOCK_SHUTDOWN_SEND : 0);
> >+ info.vsk = vsk;
> >
> > return virtio_transport_send_pkt_info(vsk, &info);
> > }
> >--
> >2.41.3
> >
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-08-05 8:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-05 5:10 [PATCH v1] VSOCK: fix Information Leak in virtio_transport_shutdown() bsdhenrymartin
2025-08-05 6:55 ` Wang Liang
2025-08-05 7:00 ` Stefano Garzarella
2025-08-05 8:53 ` henry martin
2025-08-05 8:08 ` [PATCH] " Markus Elfring
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).