From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5070F35836D; Fri, 27 Mar 2026 16:46:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774630017; cv=none; b=moc8M5RqeOZ+QdB9st83NW5kdkew+36pgshf9mqczQ8/PkIF2kMfCX7vJNcj5JIxXx8l5CQBQLqqk606qxgpu9rdCCT8VeXK8c7h8TQX15AExdnif1G0gq0NW85hobKmaqxUYiUqQrjwMpjytTobWlSwyTXWZN3xB5DA6VOOLwM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774630017; c=relaxed/simple; bh=wohXqDGk7Z1RD9kbBN7gbSivjh2qLtElRyl+H0MeHmk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=IJESY4NjU/HGgYGSau1KSOvvludCuLytvK6PkHXzphtPhyTtGZggC24JylRPu5IR0MY2iJzAk5XQ0F/Gq6p9YwLl+0MihwZxZVbwEhS3vnmPVlme8jPKRJq816OPH/vTOUZQztcnmuZfa7ohr/ThzMVKb5zYwk7PJ0ydG/XyyDw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=S8rahmQO; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="S8rahmQO" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=6+p84I+dufFeYRWkA87WTcUlR5WvMECiOcTYPoz6Vok=; b=S8rahmQOPhsOv3sO8XmJDWyp+P 9t8X0uhKof+StRHr5MPnsTjcAp8xI7eKDS/25uANc9rVpZi25FjghxCu4h6/1nWHFn56XDW4US7dM 8lwpDVP3YS6Ykmy+3ts4nNu35hqLE4e7y6ZUIjz+0fgxJRhJz/hzb82zGmWdOoViztCE5kqXbVtHm tu4xRBhCQNyGRRq58t89GN6i5HiS5Sy4fu/cZ/vxYbAAtWvoMv+G2B2Cyx1BDuUOD5oggJuxkVQoP 8edu9Ox1KuNbaYQb4Xj/2GsylNbLynvvnb5OZwcOrWNeWb0hVcDEyUBI8WeXIiVjAnIRijBhD0d6V FBbFLXvw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1w6AKa-00AlXB-90; Fri, 27 Mar 2026 16:46:44 +0000 Date: Fri, 27 Mar 2026 09:46:39 -0700 From: Breno Leitao To: Yasuaki Torimaru Cc: netdev@vger.kernel.org, steffen.klassert@secunet.com, herbert@gondor.apana.org.au, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, stable@vger.kernel.org Subject: Re: [PATCH net v3] xfrm: clear trailing padding in build_polexpire() Message-ID: References: <20260326055801.897013-1-yasuakitorimaru@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260326055801.897013-1-yasuakitorimaru@gmail.com> X-Debian-User: leitao On Thu, Mar 26, 2026 at 02:58:00PM +0900, Yasuaki Torimaru wrote: > build_expire() clears the trailing padding bytes of struct > xfrm_user_expire after setting the hard field via memset_after(), > but the analogous function build_polexpire() does not do this for > struct xfrm_user_polexpire. > > The padding bytes after the __u8 hard field are left > uninitialized from the heap allocation, and are then sent to > userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, > leaking kernel heap memory contents. > > Add the missing memset_after() call, matching build_expire(). > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Cc: stable@vger.kernel.org > Signed-off-by: Yasuaki Torimaru Reviewed-by: Breno Leitao