From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 04/52] l2tp: fix infoleak in l2tp_ip6_recvmsg()
Date: Mon, 18 Mar 2019 10:25:01 +0100 [thread overview]
Message-ID: <20190318084014.054268784@linuxfoundation.org> (raw)
In-Reply-To: <20190318084013.532280682@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 ]
Back in 2013 Hannes took care of most of such leaks in commit
bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
But the bug in l2tp_ip6_recvmsg() has not been fixed.
syzbot report :
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
_copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
copy_to_user include/linux/uaccess.h:174 [inline]
move_addr_to_user+0x311/0x570 net/socket.c:227
___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
do_recvmmsg+0x646/0x10c0 net/socket.c:2390
__sys_recvmmsg net/socket.c:2469 [inline]
__do_sys_recvmmsg net/socket.c:2492 [inline]
__se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
__x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x445819
Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf
Local variable description: ----addr@___sys_recvmsg
Variable was created at:
___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
do_recvmmsg+0x646/0x10c0 net/socket.c:2390
Bytes 0-31 of 32 are uninitialized
Memory access of size 32 starts at ffff8880ae62fbb0
Data copied to user address 0000000020000000
Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/l2tp/l2tp_ip6.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -674,9 +674,6 @@ static int l2tp_ip6_recvmsg(struct sock
if (flags & MSG_OOB)
goto out;
- if (addr_len)
- *addr_len = sizeof(*lsa);
-
if (flags & MSG_ERRQUEUE)
return ipv6_recv_error(sk, msg, len, addr_len);
@@ -706,6 +703,7 @@ static int l2tp_ip6_recvmsg(struct sock
lsa->l2tp_conn_id = 0;
if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
lsa->l2tp_scope_id = inet6_iif(skb);
+ *addr_len = sizeof(*lsa);
}
if (np->rxopt.all)
next prev parent reply other threads:[~2019-03-18 9:33 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-18 9:24 [PATCH 4.19 00/52] 4.19.30-stable review Greg Kroah-Hartman
2019-03-18 9:24 ` [PATCH 4.19 01/52] connector: fix unsafe usage of ->real_parent Greg Kroah-Hartman
2019-03-18 9:24 ` [PATCH 4.19 02/52] gro_cells: make sure device is up in gro_cells_receive() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 03/52] ipv4/route: fail early when inet dev is missing Greg Kroah-Hartman
2019-03-18 9:25 ` Greg Kroah-Hartman [this message]
2019-03-18 9:25 ` [PATCH 4.19 05/52] lan743x: Fix RX Kernel Panic Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 06/52] lan743x: Fix TX Stall Issue Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 07/52] net: hsr: fix memory leak in hsr_dev_finalize() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 08/52] net/hsr: fix possible crash in add_timer() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 09/52] net: sit: fix UBSAN Undefined behaviour in check_6rd Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 10/52] net/x25: fix use-after-free in x25_device_event() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 11/52] net/x25: reset state in x25_connect() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 12/52] pptp: dst_release sk_dst_cache in pptp_sock_destruct Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 13/52] ravb: Decrease TxFIFO depth of Q3 and Q2 to one Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 14/52] route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 15/52] rxrpc: Fix client call queueing, waiting for channel Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 16/52] sctp: remove sched init from sctp_stream_init Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 17/52] tcp: do not report TCP_CM_INQ of 0 for closed connections Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 18/52] tcp: Dont access TCP_SKB_CB before initializing it Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 19/52] tcp: handle inet_csk_reqsk_queue_add() failures Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 20/52] vxlan: Fix GRO cells race condition between receive and link delete Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 21/52] vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 22/52] net/mlx4_core: Fix reset flow when in command polling mode Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 23/52] net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 24/52] net/mlx4_core: Fix qp mtt size calculation Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 25/52] net/x25: fix a race in x25_bind() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 26/52] mdio_bus: Fix use-after-free on device_register fails Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 27/52] net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 28/52] ipv6: route: purge exception on removal Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 29/52] team: use operstate consistently for linkup Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 30/52] ipvlan: disallow userns cap_net_admin to change global mode/flags Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 31/52] ipv6: route: enforce RCU protection in rt6_update_exception_stamp_rt() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 32/52] ipv6: route: enforce RCU protection in ip6_route_check_nh_onlink() Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 33/52] bonding: fix PACKET_ORIGDEV regression Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 34/52] net/smc: fix smc_poll in SMC_INIT state Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 35/52] missing barriers in some of unix_sock ->addr and ->path accesses Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 36/52] net: sched: flower: insert new filter to idr after setting its mask Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 37/52] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 38/52] perf/x86: Fixup typo in stub functions Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 39/52] ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 40/52] ALSA: firewire-motu: fix construction of PCM frame for capture direction Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 41/52] ALSA: hda: Extend i915 component bind timeout Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 42/52] ALSA: hda - add more quirks for HP Z2 G4 and HP Z240 Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 43/52] ALSA: hda/realtek: Enable audio jacks of ASUS UX362FA with ALC294 Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 44/52] ALSA: hda/realtek - Reduce click noise on Dell Precision 5820 headphone Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 45/52] ALSA: hda/realtek: Enable headset MIC of Acer TravelMate X514-51T with ALC255 Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 46/52] perf/x86/intel: Fix memory corruption Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 47/52] perf/x86/intel: Make dev_attr_allow_tsx_force_abort static Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 48/52] Its wrong to add len to sector_nr in raid10 reshape twice Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 49/52] drm: Block fb changes for async plane updates Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 50/52] staging: erofs: fix race when the managed cache is enabled Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 51/52] i40e: report correct statistics when XDP " Greg Kroah-Hartman
2019-03-18 9:25 ` [PATCH 4.19 52/52] vhost/vsock: fix vhost vsock cid hashing inconsistent Greg Kroah-Hartman
2019-03-18 13:42 ` [PATCH 4.19 00/52] 4.19.30-stable review kernelci.org bot
2019-03-18 17:14 ` Naresh Kamboju
2019-03-19 2:25 ` Guenter Roeck
2019-03-19 10:34 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190318084014.054268784@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).