From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Alper Ak <alperyasinak1@gmail.com>,
davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
kuba@kernel.org
Cc: Alper Ak <alperyasinak1@gmail.com>,
Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Kuniyuki Iwashima <kuniyu@google.com>,
Breno Leitao <leitao@debian.org>,
Willem de Bruijn <willemb@google.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: ipv4: ipmr: Prevent information leak in ipmr_sk_ioctl()
Date: Tue, 30 Dec 2025 14:35:45 -0500 [thread overview]
Message-ID: <willemdebruijn.kernel.332a5aa0f6f9f@gmail.com> (raw)
In-Reply-To: <20251227073743.17272-1-alperyasinak1@gmail.com>
Alper Ak wrote:
> struct sioc_vif_req has a padding hole after the vifi field due to
> alignment requirements. These padding bytes were uninitialized,
> potentially leaking kernel stack memory to userspace when the
> struct is copied via sock_ioctl_inout().
>
> Reported by Smatch:
> net/ipv4/ipmr.c:1575 ipmr_sk_ioctl() warn: check that 'buffer'
> doesn't leak information (struct has a hole after 'vifi')
>
> Fixes: e1d001fa5b47 ("net: ioctl: Use kernel memory on protocol ioctl callbacks")
The commit mentions other similar cases. If this is a concern for
sioc_vif_req, then it likely would alos be for sioc_mif_req6, which
similarly has a hole.
> Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
> ---
> net/ipv4/ipmr.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
> index ca9eaee4c2ef..18441fbe7ed7 100644
> --- a/net/ipv4/ipmr.c
> +++ b/net/ipv4/ipmr.c
> @@ -1571,6 +1571,7 @@ int ipmr_sk_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
> /* These userspace buffers will be consumed by ipmr_ioctl() */
> case SIOCGETVIFCNT: {
> struct sioc_vif_req buffer;
> + memset(&buffer, 0, sizeof(buffer));
>
> return sock_ioctl_inout(sk, cmd, arg, &buffer,
> sizeof(buffer));
sock_ioctl_inout copies the whole struct from userspace, calls a
domain specific callback and then copies the whole struct back:
if (copy_from_user(karg, arg, size))
return -EFAULT;
ret = READ_ONCE(sk->sk_prot)->ioctl(sk, cmd, karg);
if (ret)
return ret;
if (copy_to_user(arg, karg, size))
return -EFAULT;
As a result every byte of the memset will be overwritten with the
copy_from_user.
> --
> 2.43.0
>
prev parent reply other threads:[~2025-12-30 19:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-27 7:37 [PATCH] net: ipv4: ipmr: Prevent information leak in ipmr_sk_ioctl() Alper Ak
2025-12-30 19:35 ` Willem de Bruijn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.332a5aa0f6f9f@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=alperyasinak1@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=leitao@debian.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).