* [PATCH v2] xfrm: clear trailing padding in build_polexpire() [not found] <20260321210421.2504711-1-yasuakitorimaru@gmail.com> @ 2026-03-24 1:37 ` Yasuaki Torimaru 2026-03-25 17:15 ` Simon Horman 0 siblings, 1 reply; 4+ messages in thread From: Yasuaki Torimaru @ 2026-03-24 1:37 UTC (permalink / raw) To: netdev Cc: steffen.klassert, herbert, davem, edumazet, kuba, pabeni, horms, stable, Yasuaki Torimaru build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, leaking kernel heap memory contents. Add the missing memset_after() call, matching build_expire(). Fixes: e3e5fc1698ae ("xfrm_user: fix info leak in build_expire()") Cc: stable@vger.kernel.org Signed-off-by: Yasuaki Torimaru <yasuakitorimaru@gmail.com> --- Verified with pahole (struct xfrm_user_polexpire): - x86_64: sizeof=176, padding=7 - i386: sizeof=168, padding=3 - aarch64: sizeof=176, padding=7 - armv7l (hf): sizeof=176, padding=7 net/xfrm/xfrm_user.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 403b5ecac2c5..ee31ef482be4 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -3948,6 +3948,8 @@ static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, return err; } upe->hard = !!hard; + /* clear the padding bytes */ + memset_after(upe, 0, hard); nlmsg_end(skb, nlh); return 0; -- 2.50.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] xfrm: clear trailing padding in build_polexpire() 2026-03-24 1:37 ` [PATCH v2] xfrm: clear trailing padding in build_polexpire() Yasuaki Torimaru @ 2026-03-25 17:15 ` Simon Horman 2026-03-26 5:55 ` Yasuaki Torimaru 2026-03-26 5:57 ` Yasuaki Torimaru 0 siblings, 2 replies; 4+ messages in thread From: Simon Horman @ 2026-03-25 17:15 UTC (permalink / raw) To: Yasuaki Torimaru Cc: netdev, steffen.klassert, herbert, davem, edumazet, kuba, pabeni, stable On Tue, Mar 24, 2026 at 10:37:42AM +0900, Yasuaki Torimaru wrote: > build_expire() clears the trailing padding bytes of struct > xfrm_user_expire after setting the hard field via memset_after(), > but the analogous function build_polexpire() does not do this for > struct xfrm_user_polexpire. > > The padding bytes after the __u8 hard field are left > uninitialized from the heap allocation, and are then sent to > userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, > leaking kernel heap memory contents. > > Add the missing memset_after() call, matching build_expire(). > > Fixes: e3e5fc1698ae ("xfrm_user: fix info leak in build_expire()") I think the Fixes tag should cite the patch that introduced the bug. The commit cited above looks like a related fix, but no the cause of the bug. > Cc: stable@vger.kernel.org > Signed-off-by: Yasuaki Torimaru <yasuakitorimaru@gmail.com> > --- > Verified with pahole (struct xfrm_user_polexpire): > - x86_64: sizeof=176, padding=7 > - i386: sizeof=168, padding=3 > - aarch64: sizeof=176, padding=7 > - armv7l (hf): sizeof=176, padding=7 > net/xfrm/xfrm_user.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c > index 403b5ecac2c5..ee31ef482be4 100644 > --- a/net/xfrm/xfrm_user.c > +++ b/net/xfrm/xfrm_user.c > @@ -3948,6 +3948,8 @@ static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, > return err; > } > upe->hard = !!hard; > + /* clear the padding bytes */ > + memset_after(upe, 0, hard); > > nlmsg_end(skb, nlh); > return 0; > -- > 2.50.1 > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] xfrm: clear trailing padding in build_polexpire() 2026-03-25 17:15 ` Simon Horman @ 2026-03-26 5:55 ` Yasuaki Torimaru 2026-03-26 5:57 ` Yasuaki Torimaru 1 sibling, 0 replies; 4+ messages in thread From: Yasuaki Torimaru @ 2026-03-26 5:55 UTC (permalink / raw) To: Simon Horman Cc: netdev, steffen.klassert, herbert, davem, edumazet, kuba, pabeni, stable On Thu, 27 Mar 2026, Simon Horman wrote: > I think the Fixes tag should cite the patch that introduced the bug. The > commit cited above looks like a related fix, but no the cause of the bug. You're right. build_polexpire() has existed since the initial import (1da177e4c3f4), so the padding has been uninitialized from the beginning. Sending v3 with the corrected Fixes tag. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] xfrm: clear trailing padding in build_polexpire() 2026-03-25 17:15 ` Simon Horman 2026-03-26 5:55 ` Yasuaki Torimaru @ 2026-03-26 5:57 ` Yasuaki Torimaru 1 sibling, 0 replies; 4+ messages in thread From: Yasuaki Torimaru @ 2026-03-26 5:57 UTC (permalink / raw) To: Simon Horman Cc: netdev, steffen.klassert, herbert, davem, edumazet, kuba, pabeni, stable On Thu, 27 Mar 2026, Simon Horman wrote: > I think the Fixes tag should cite the patch that introduced the bug. The > commit cited above looks like a related fix, but no the cause of the bug. You're right. build_polexpire() has existed since the initial import (1da177e4c3f4), so the padding has been uninitialized from the beginning. Sending v3 with the corrected Fixes tag. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-26 5:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20260321210421.2504711-1-yasuakitorimaru@gmail.com>
2026-03-24 1:37 ` [PATCH v2] xfrm: clear trailing padding in build_polexpire() Yasuaki Torimaru
2026-03-25 17:15 ` Simon Horman
2026-03-26 5:55 ` Yasuaki Torimaru
2026-03-26 5:57 ` Yasuaki Torimaru
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox