From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD02B38CFEF for ; Mon, 13 Apr 2026 21:59:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776117590; cv=none; b=iEZqZy6OG2rtwR+P8GGrm43Mfu1RHy2dyv5CnHjvBHheAwAj+2TP71OPsJktJf7Ns8Q9wfcZyKJvwyjT8b1G8CrGCkfOEh8mpFgOQxA0n20ItefhUfek9BCyTfZUemwfd9nhPfpw6mlyUp5wAUDrTezLt7qNbqoj4SIULs+Hxpk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776117590; c=relaxed/simple; bh=2Vgt4FwV/ywCcnzC4wIvwNVr9Ao1/9FJteMb6sUe3RM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OLhNq34nQMCgW2nuD1Cd17zqWZntFmWQAP4ziMCgG9/8TtpRadQSg5jxVKK6cfC7S5yyuFeKCopLGL8A04oEf5UqbW/yoVKQmtp/afr855PZBmOMG1voIfLjNXdA5ucTq5HVBlxznwuqLUJFHfSnXvHUqweC/zHY81zGMRGie9E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=mhcJyiie; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mhcJyiie" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C7601C2BCAF; Mon, 13 Apr 2026 21:59:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776117590; bh=2Vgt4FwV/ywCcnzC4wIvwNVr9Ao1/9FJteMb6sUe3RM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mhcJyiieYDVQHpg82LtbzwRzo9ZqEGMjSl/eZKdbT3oiiAT0UeAIOhbA4TzfD8UPg OLqHEb27js2ygKT/yxJtfyoWzma9MobSuPjDmd/3b8yPViusnphn5zz10p0rBmHs5l /tN0kVBs3WqcI8us6UYuAOxwkj0AB+1O6okj3exoJ/rWEONScblxTnd5L+dWmv447M 7Nde5x5MqpiVu3FiQ8Xct+bx1+3xrK9COGcB3nZac8Oc4mBAkyoWgQVVIk+Q3NX7B8 +r8IoSqKmss91njAKWmpEghrf1yTbVh3kxczZoHbqM9rzJcj078Can6lQsYW82WT4O NH2OwLXT3tn+Q== From: Sasha Levin To: stable@vger.kernel.org Cc: Yasuaki Torimaru , Simon Horman , Breno Leitao , Steffen Klassert , Sasha Levin Subject: [PATCH 5.15.y] xfrm: clear trailing padding in build_polexpire() Date: Mon, 13 Apr 2026 17:59:48 -0400 Message-ID: <20260413215948.3711943-1-sashal@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <2026041331-wiring-revenge-aec2@gregkh> References: <2026041331-wiring-revenge-aec2@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Yasuaki Torimaru [ Upstream commit 71a98248c63c535eaa4d4c22f099b68d902006d0 ] build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, leaking kernel heap memory contents. Add the missing memset_after() call, matching build_expire(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Yasuaki Torimaru Reviewed-by: Simon Horman Reviewed-by: Breno Leitao Signed-off-by: Steffen Klassert [ replaced `memset_after()` macro with equivalent manual `memset()` call ] Signed-off-by: Sasha Levin --- net/xfrm/xfrm_user.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index d9238e17ab427..58c61efe1d7b3 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -3389,6 +3389,8 @@ static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp, return err; } upe->hard = !!hard; + /* clear the padding bytes */ + memset(&upe->hard + 1, 0, sizeof(*upe) - offsetofend(typeof(*upe), hard)); nlmsg_end(skb, nlh); return 0; -- 2.53.0