From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Shigeru Yoshida <syoshida@redhat.com>,
Simon Horman <horms@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 39/97] tipc: Fix kernel-infoleak due to uninitialized TLV value
Date: Fri, 24 Nov 2023 17:50:12 +0000 [thread overview]
Message-ID: <20231124171935.612582487@linuxfoundation.org> (raw)
In-Reply-To: <20231124171934.122298957@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit fb317eb23b5ee4c37b0656a9a52a3db58d9dd072 ]
KMSAN reported the following kernel-infoleak issue:
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
copy_to_iter include/linux/uio.h:197 [inline]
simple_copy_to_iter net/core/datagram.c:532 [inline]
__skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg net/socket.c:1066 [inline]
__sys_recvfrom+0x476/0x860 net/socket.c:2246
__do_sys_recvfrom net/socket.c:2264 [inline]
__se_sys_recvfrom net/socket.c:2260 [inline]
__x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
__alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1286 [inline]
tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline]
tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170
tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324
genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545
genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x997/0xd60 net/socket.c:2588
___sys_sendmsg+0x271/0x3b0 net/socket.c:2642
__sys_sendmsg net/socket.c:2671 [inline]
__do_sys_sendmsg net/socket.c:2680 [inline]
__se_sys_sendmsg net/socket.c:2678 [inline]
__x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Bytes 34-35 of 36 are uninitialized
Memory access of size 36 starts at ffff88802d464a00
Data copied to user address 00007ff55033c0a0
CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
=====================================================
tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is
calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and
the length of TLV value passed as an argument, and aligns the result to a
multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes.
If the size of struct tlv_desc plus the length of TLV value is not aligned,
the current implementation leaves the remaining bytes uninitialized. This
is the cause of the above kernel-infoleak issue.
This patch resolves this issue by clearing data up to an aligned size.
Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/netlink_compat.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 59e8e17d8da9c..2276a0704a635 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -101,6 +101,7 @@ static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
return -EMSGSIZE;
skb_put(skb, TLV_SPACE(len));
+ memset(tlv, 0, TLV_SPACE(len));
tlv->tlv_type = htons(type);
tlv->tlv_len = htons(TLV_LENGTH(len));
if (len && data)
--
2.42.0
next prev parent reply other threads:[~2023-11-24 17:58 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-24 17:49 [PATCH 4.19 00/97] 4.19.300-rc1 review Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 01/97] locking/ww_mutex/test: Fix potential workqueue corruption Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 02/97] perf/core: Bail out early if the request AUX area is out of bound Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 03/97] clocksource/drivers/timer-imx-gpt: Fix potential memory leak Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 04/97] clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 05/97] x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 06/97] wifi: mac80211: dont return unset power in ieee80211_get_tx_power() Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 07/97] wifi: ath9k: fix clang-specific fortify warnings Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 08/97] wifi: ath10k: fix clang-specific fortify warning Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 09/97] net: annotate data-races around sk->sk_tx_queue_mapping Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 10/97] net: annotate data-races around sk->sk_dst_pending_confirm Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 11/97] Bluetooth: Fix double free in hci_conn_cleanup Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 12/97] platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 13/97] drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 14/97] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 15/97] drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 16/97] selftests/efivarfs: create-read: fix a resource leak Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 17/97] crypto: pcrypt - Fix hungtask for PADATA_RESET Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 18/97] RDMA/hfi1: Use FIELD_GET() to extract Link Width Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 19/97] fs/jfs: Add check for negative db_l2nbperpage Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 20/97] fs/jfs: Add validity check for db_maxag and db_agpref Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 21/97] jfs: fix array-index-out-of-bounds in dbFindLeaf Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 22/97] jfs: fix array-index-out-of-bounds in diAlloc Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 23/97] ARM: 9320/1: fix stack depot IRQ stack filter Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 24/97] ALSA: hda: Fix possible null-ptr-deref when assigning a stream Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 25/97] atm: iphase: Do PCI error checks on own line Greg Kroah-Hartman
2023-11-24 17:49 ` [PATCH 4.19 26/97] scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 27/97] HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 28/97] tty: vcc: Add check for kstrdup() in vcc_probe() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 29/97] usb: gadget: f_ncm: Always set current gadget in ncm_bind() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 30/97] i2c: sun6i-p2wi: Prevent potential division by zero Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 31/97] media: gspca: cpia1: shift-out-of-bounds in set_flicker Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 32/97] media: vivid: avoid integer overflow Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 33/97] gfs2: ignore negated quota changes Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 34/97] drm/amd/display: Avoid NULL dereference of timing generator Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 35/97] pwm: Fix double shift bug Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 36/97] NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 37/97] ipvlan: add ipvlan_route_v6_outbound() helper Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 38/97] tty: Fix uninit-value access in ppp_sync_receive() Greg Kroah-Hartman
2023-11-24 17:50 ` Greg Kroah-Hartman [this message]
2023-11-24 17:50 ` [PATCH 4.19 40/97] ppp: limit MRU to 64K Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 41/97] xen/events: fix delayed eoi list handling Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 42/97] ptp: annotate data-race around q->head and q->tail Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 43/97] net: ethernet: cortina: Fix max RX frame define Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 44/97] net: ethernet: cortina: Handle large frames Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 45/97] net: ethernet: cortina: Fix MTU max setting Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 46/97] macvlan: Dont propagate promisc change to lower dev in passthru Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 47/97] cifs: spnego: add ; in HOST_KEY_LEN Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 48/97] media: venus: hfi: add checks to perform sanity on queue pointers Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 49/97] randstruct: Fix gcc-plugin performance mode to stay in group Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 50/97] KVM: x86: Ignore MSR_AMD64_TW_CFG access Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 51/97] audit: dont take task_lock() in audit_exe_compare() code path Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 52/97] audit: dont WARN_ON_ONCE(!current->mm) in audit_exe_compare() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 53/97] hvc/xen: fix error path in xen_hvc_init() to always register frontend driver Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 54/97] PCI/sysfs: Protect drivers D3cold preference from user space Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 55/97] mmc: meson-gx: Remove setting of CMD_CFG_ERROR Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 56/97] genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 57/97] PCI: keystone: Dont discard .remove() callback Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 58/97] PCI: keystone: Dont discard .probe() callback Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 59/97] parisc/pdc: Add width field to struct pdc_model Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 60/97] parisc/power: Add power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 61/97] clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 62/97] mmc: vub300: fix an error code Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 63/97] PM: hibernate: Use __get_safe_page() rather than touching the list Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 64/97] PM: hibernate: Clean up sync_read handling in snapshot_write_next() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 65/97] jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 66/97] quota: explicitly forbid quota files from being encrypted Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 67/97] mcb: fix error handling for different scenarios when parsing Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 68/97] dmaengine: stm32-mdma: correct desc prep when channel running Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 69/97] s390/cmma: fix initial kernel address space page table walk Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 70/97] s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 71/97] parisc: Prevent booting 64-bit kernels on PA1.x machines Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 72/97] parisc/pgtable: Do not drop upper 5 address bits of physical address Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 73/97] parisc/power: Fix power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 74/97] ALSA: info: Fix potential deadlock at disconnection Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 75/97] ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 76/97] tty: serial: meson: if no alias specified use an available id Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 77/97] tty/serial: Migrate meson_uart to use has_sysrq Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 78/97] serial: meson: remove redundant initialization of variable id Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 79/97] tty: serial: meson: retrieve port FIFO size from DT Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 80/97] serial: meson: Use platform_get_irq() to get the interrupt Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 81/97] tty: serial: meson: fix hard LOCKUP on crtscts mode Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 82/97] net: dsa: lan9303: consequently nested-lock physical MDIO Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 83/97] i2c: i801: fix potential race in i801_block_transaction_byte_by_byte Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 84/97] media: lirc: drop trailing space from scancode transmit Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 85/97] media: sharp: fix sharp encoding Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.19 86/97] media: venus: hfi_parser: Add check to keep the number of codecs within range Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 87/97] media: venus: hfi: fix the check to handle session buffer requirement Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 88/97] media: venus: hfi: add checks to handle capabilities from firmware Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 89/97] Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E" Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 90/97] ext4: apply umask if ACL support is disabled Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 91/97] ext4: correct offset of gdb backup in non meta_bg group to update_backups Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 92/97] ext4: correct return value of ext4_convert_meta_bg Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 93/97] ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 94/97] drm/amdgpu: fix error handling in amdgpu_bo_list_get() Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 95/97] scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 96/97] iomap: Set all uptodate bits for an Uptodate page Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.19 97/97] net: sched: fix race condition in qdisc_graft() Greg Kroah-Hartman
2023-11-24 19:13 ` [PATCH 4.19 00/97] 4.19.300-rc1 review Daniel Díaz
2023-11-25 11:20 ` Pavel Machek
2023-11-25 15:26 ` Greg Kroah-Hartman
2023-11-25 16:44 ` Pavel Machek
2023-11-25 15:43 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231124171935.612582487@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=horms@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syoshida@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox