* Patch "sctp: do not leak kernel memory to user space" has been added to the 4.9-stable tree
@ 2018-04-11 9:03 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2018-04-11 9:03 UTC (permalink / raw)
To: edumazet, davem, gregkh, nhorman, syzkaller, vyasevich
Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
sctp: do not leak kernel memory to user space
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
sctp-do-not-leak-kernel-memory-to-user-space.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From foo@baz Wed Apr 11 10:26:56 CEST 2018
From: Eric Dumazet <edumazet@google.com>
Date: Sat, 7 Apr 2018 17:15:22 -0700
Subject: sctp: do not leak kernel memory to user space
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb ]
syzbot produced a nice report [1]
Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory
to user space, because sin_zero (padding field) was not properly cleared.
[1]
BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline]
BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227
CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
copy_to_user include/linux/uaccess.h:184 [inline]
move_addr_to_user+0x32e/0x530 net/socket.c:227
___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
__sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4401c9
RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9
RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0
R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
Local variable description: ----addr@___sys_recvmsg
Variable was created at:
___sys_recvmsg+0xd5/0x810 net/socket.c:2172
__sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
Bytes 8-15 of 16 are uninitialized
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G B 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
panic+0x39d/0x940 kernel/panic.c:183
kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
copy_to_user include/linux/uaccess.h:184 [inline]
move_addr_to_user+0x32e/0x530 net/socket.c:227
___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
__sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/ipv6.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -727,8 +727,10 @@ static int sctp_v6_addr_to_user(struct s
sctp_v6_map_v4(addr);
}
- if (addr->sa.sa_family == AF_INET)
+ if (addr->sa.sa_family == AF_INET) {
+ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
return sizeof(struct sockaddr_in);
+ }
return sizeof(struct sockaddr_in6);
}
Patches currently in stable-queue which might be from edumazet@google.com are
queue-4.9/tcp-better-validation-of-received-ack-sequences.patch
queue-4.9/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch
queue-4.9/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch
queue-4.9/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch
queue-4.9/x86-asm-don-t-use-rbp-as-a-temporary-register-in-csum_partial_copy_generic.patch
queue-4.9/net-fool-proof-dev_valid_name.patch
queue-4.9/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch
queue-4.9/vti6-better-validate-user-provided-tunnel-names.patch
queue-4.9/ipv6-sit-better-validate-user-provided-tunnel-names.patch
queue-4.9/ip6_tunnel-better-validate-user-provided-tunnel-names.patch
queue-4.9/sctp-do-not-leak-kernel-memory-to-user-space.patch
queue-4.9/ip_tunnel-better-validate-user-provided-tunnel-names.patch
queue-4.9/skbuff-only-inherit-relevant-tx_flags.patch
queue-4.9/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch
queue-4.9/ip6_gre-better-validate-user-provided-tunnel-names.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-04-11 9:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-11 9:03 Patch "sctp: do not leak kernel memory to user space" has been added to the 4.9-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).