From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B4E2D242D84 for ; Thu, 30 Apr 2026 15:26:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777562815; cv=none; b=oBV2vnnBDBhcWTiDq8fx6Bb1NpqAvHoP3RirDlYV78U90ndsmy+OHKQXs0PadHSl1eke+QEXO2yLMlgt77xPkzm1zsOuGDHGUhk8JoGjiqyCv/4izqJ7Ma9T1p6YW88Yzou+wF/zHOQNzRHzUBvzSOp5JhZVbGdmlokAKfbkYWQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777562815; c=relaxed/simple; bh=z0DYBvb+LZUpxretZCjDv+k9yn01sF1apvq6+r/SDyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=P7DLlQ6Sg3R2ixPwLicRmpS6z/7lyhrBNCyqqXfbrjdAr0W35QnBtt+DKZjjPF1nlEwQOLILqGRgu+Mexc8A9rETTu5lKO7gXjHHral/y3hezp2wTsICAUVWeQwylN7tpbdikF+KXXm/JkNunOITDv4p6OT/s2ZbKoHFJvpv97I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oAHGY0ZM; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oAHGY0ZM" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-488ab2db91aso13149325e9.3 for ; Thu, 30 Apr 2026 08:26:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777562812; x=1778167612; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=oAHGY0ZMUcPi/iwy915tcI2O60jUooipymzZNyQ1WS+f5D6udHxif9elFZhpd/pP64 kYbsbjD9mde6LUYomaTn/kx4k5LP26s4x2/mgEalWGXtVaQNZRv3SERQcL38TtcGwdG3 Kt8jS9sOh3bB1jyeSfmSvWupssjJhTaEr1m2plnW0JaCx8Mj/Jo+uuMF4nJatUE3IRCl F6L+ne2+M97Yu7XdaSkQ7i7vtdSkOO4CzP0vxWg9e97d1stUmGSXAJ8syq6Bk/H9Ki9z knpFUrv70+Bf6HwnuNardnq4TVzJZbG0sc0WGhua8Ic16GOYokNw8puGMpDoXDAvcDPn VAEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777562812; x=1778167612; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=jcoDTtiAFBTzijSzG/zfTn4EWtInfWLI9iM8c8x6WiGuEVtYfGQQ9yPuH86em9dKBz /kbUjjIsw5DNx3lgI7Dy9OuOpViS0RkL/wSIrpJodvpJ5em9cR2Gp+czFxLzLNRic0Zs nhqnpD2n49HzQS/OVWFHnpVtM78lk4UzR1812CAteZXFIy/lwJHKs6W/wT77fOb5+M41 nrZqssNMxsG8HjwPZaYiroH0Un9wDTEhw88YfgvitiHgy7maYr27mN6sByb3vphFeXjj 210qFucQcyKDWy3JWuvuNYmQ+1zF3wJoPpFhEwhEfy4dxy/OmdqAbYB04/xTzX1IwvHz NEpQ== X-Gm-Message-State: AOJu0Yx2VcTTMU4r3yhTby1yz0t02BqegPfpfJxmt+S6FSVlZ6toAFhb J1oDHV4kMaq6o96xAA6G3fSKismaChLEXskX2F0g8eYb+zrhIFpopgzn X-Gm-Gg: AeBDiet1M5gbHyDBpUTKw2iYlqANzX7xTIurGAz6H0+iygbXVT3JgPA1MoDBOXNPDWN LI8dZ4qmXdYyL6WUJMyyzAYNsnVeYxmU7HeUDrK49ODK40bh2tb2I06iWxQG2RftAi/tL3naxar MXhNJQuWFBHX7pfVC8We6LFQXCs86bE3DtsGFF2RYkpMx+WDmyFLFgWwrVgOo+7uFyOvw1t2rn1 fDyvwLcphnRobs3isDMg/HqH0+mhqT2LnU/NaFj9GbVqulwWtk4ok+IpTLN6Rao4pwZceqIc4vm Ky9cyHTlRO16O/wjUSNa7yFn1FVVOFZYnKOmxgazQzZPJrCoBHUSy9XSj3x1V8w3JptPM9vep3T OXEdkwmghKLtd+zwnJko+QUosC8GFjpOzfi8mTehNqKGbMVGBAkY+/KqeSqsIGwrlWtFUQOrpyO UuGTHE1qjlXfynsH8CpFrkF6iC/azKgo6vCVA0vMo8DJVWvWc3pduOXucOIK0driQwNsInk6a4A wfhPsNvpGyTFwucE4bc7x5fL6wEpXXjEd03cw== X-Received: by 2002:a05:600c:a408:b0:48a:58ae:992f with SMTP id 5b1f17b1804b1-48a84446302mr43617965e9.16.1777562811753; Thu, 30 Apr 2026 08:26:51 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:f9d2:9c9e:9a42:5d91]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a82301ad1sm119212485e9.9.2026.04.30.08.26.50 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 08:26:51 -0700 (PDT) From: Kai Zen To: netdev@vger.kernel.org Cc: stable@vger.kernel.org, edumazet@google.com, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, gregkh@linuxfoundation.org Subject: [PATCH net v3] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Date: Thu, 30 Apr 2026 18:26:48 +0300 Message-ID: <3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function. Fixes: 75345f888f70 ("ipoib: show VF broadcast address") Cc: stable@vger.kernel.org Signed-off-by: Kai Zen --- net/core/rtnetlink.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index b613bb6e0..df042da42 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1572,6 +1572,7 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, port_guid.vf = ivi.vf; memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac)); + memset(&vf_broadcast, 0, sizeof(vf_broadcast)); memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); vf_vlan.vlan = ivi.vlan; vf_vlan.qos = ivi.qos; -- 2.43.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7DB76257824 for ; Thu, 30 Apr 2026 15:40:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563657; cv=none; b=mC8IqFyPluZE/GdD8ImQG4/guBt/2xzrji61Kbq+exsTCeFm0EKMrOuBrtmhVnJj19cLHSpQPb4E+sC8tyVE/GtlXHaKe1pW04KtYgWWENPadwE3MJeRo6xT0nOFSJmd/IAFXTSYz6bBrZ/Sr/lN7fZUcukc9ilfDyOqOKGGrxs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563657; c=relaxed/simple; bh=z0DYBvb+LZUpxretZCjDv+k9yn01sF1apvq6+r/SDyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rXFy08IjFnNuUEuw3qyPLR3oTD5tKf8wI8ltUtIU6mWDY/jyl8uka5ec+aGpWs49O86CZArA0+6G9kGYy7HQ5grGogWH4nEtQu0h8Wu5DfMnBWeRKzcFvQtakzCvWXMM08unF7DV5QCNN7W4fJNr+ymkP6763ZqufNECn4C6oX8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dJJuuIUT; arc=none smtp.client-ip=209.85.128.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dJJuuIUT" Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-488d2079582so11435925e9.2 for ; Thu, 30 Apr 2026 08:40:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777563654; x=1778168454; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=dJJuuIUT+cTodLhKdLcHNOczbeJHwb0K63slp0RTXkUY6t3dlXd/UOl/jbx/yKOmRS fr1QjWcBacT3xIr+9W16NyM69ACtUunD3r3PfJceojrqmblCGmuPvntIahKhNValqesw tGO6QYp1LBiYOKvEsacq7ISgKs4JNYmafY7GeVHcrZvBVndeKq8CpAM2/ch4G3kqSFaF Xd2n/8XC1ZDKXKSj/VSD8sMVOx5ttAjYRrRCNNPZmhrJSl9PxYirKrDyAzWbFPzYNOqu D/rKls+pDfn+L8QcFO7bCYQ7FhvHxGKA9uytJZBu9VVeQ/QSMU63Dz9p0B2/vVGnxSr4 q4dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777563654; x=1778168454; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=Ri4bA4Vkze9ZkFL+wTR1DP/RgPLGjIvsPHXiuMkSvHA/Bsnm5ronR9KAPsuW7/ApBL pcgiYLSSZRQjP6OhBTMu4YgrDRH/IbuYeIpg1a4hxDfLIdYwu86iOGnhH53nLuKCzjl0 pGxAYe/x6255KZslg9l7xWwXScz7aIqEg3nlnyBi4xCepqmHUWSMgbGe59JOba+nzAns BLvzr8cXJBRiujoJ8f6dzm9+js3oWiVNBGqmP395nVfu0qm5kvHQAFmdRcU9CL2xsVCH 9vPke2UgMu2xa4tes1JPLXO7Wo3pkTOdmnrn9k9S9x2cmleBsrBn+c+t7juptabjFg74 0tkw== X-Gm-Message-State: AOJu0Yw28XLOxyEBb4i5gDGAWsLHtwuUpp+fuYTOsfVxYPLob/DTKEht 8DiHE+zHOWHhAPL0a/Obj45nlgbw1wGyXb85eqo2wGhMuqsolfYsiICajcbj77sqnJW+hw== X-Gm-Gg: AeBDiesP8M4ea6XzuP4h/uc+73bmjmhGeHG9LBFy8Lw+bss0acpV0NPesVyhMXSx2BE vQYjyDlJP9Q2t2R6u925NOiR1yu1oDxC2PcHEPpZHVnUtp6uBRmWgG7VnSWX/leczQEKs/Yn9Rj XwbrBFe2zt2pP41XePA7vMWKJUjEuQ8fOI45jzEqTdUOl++eqDth2YEjJucnSXHaLnd8VHnDKuA AXBFQVwkwSCAC6mwXIO50hhfhQPEV0BkQidaByqJhoSjIlLLNacMC53FFvX2HwTINfCcGcbn+3o 27C5R0FCl5+lPpWDdIFaAo0ZtSICDHz73m/UTtjsy560P3xBdc0YdwG9DDvKIYKpalW7MPtRJ+7 UksEI1mtjZNATuCPbUpsmIaEkuLwBjz7mmf8UpJB56+sG4QQ5w5TBuNr1nsr+GK42OKQtiDLRSV 6QCaqwfCCYpPBN/8flv1e1B7DAsbcEc0ne5I1elyHSO6EB9uq6ZJDdvdLzvUzQfB7gAyZHEPlEq vBSh+5dFkN0LD56tImUHIbCV8eSTXJP6vdcrg== X-Received: by 2002:a05:600c:190f:b0:48a:563c:c8c5 with SMTP id 5b1f17b1804b1-48a83d6ebe5mr57909705e9.8.1777563653525; Thu, 30 Apr 2026 08:40:53 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:a0c9:1d35:8283:f96b]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a7b901a15sm96960055e9.1.2026.04.30.08.40.52 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 08:40:53 -0700 (PDT) From: Kai Zen To: netdev@vger.kernel.org Cc: stable@vger.kernel.org, edumazet@google.com, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, gregkh@linuxfoundation.org Subject: [PATCH net v3] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Date: Thu, 30 Apr 2026 18:40:44 +0300 Message-ID: <3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <20260430154044.EmH3-ZiXVu-b71Ro45ymXrp-NkTYYz3jpDGE0KE7V24@z> rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function. Fixes: 75345f888f70 ("ipoib: show VF broadcast address") Cc: stable@vger.kernel.org Signed-off-by: Kai Zen --- net/core/rtnetlink.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index b613bb6e0..df042da42 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1572,6 +1572,7 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, port_guid.vf = ivi.vf; memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac)); + memset(&vf_broadcast, 0, sizeof(vf_broadcast)); memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); vf_vlan.vlan = ivi.vlan; vf_vlan.qos = ivi.qos; -- 2.43.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C4F8734751B for ; Thu, 30 Apr 2026 15:41:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563711; cv=none; b=QSmaEsgNfLWCCgeTdg16UV5Bju75XE0c/pxKJnPaswjnszT3En6TKQnVABAl0nNCrw//xBorBmO6DjWEXE3DbS/pIYkq2EqmJSREiCpniQXpdx+UzDxjqNRm1NRf5Ut9U80VXl/lzqntocXtR9oc666JUp9rxvu4/od6SaLw8y0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777563711; c=relaxed/simple; bh=z0DYBvb+LZUpxretZCjDv+k9yn01sF1apvq6+r/SDyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lZwsxbp59DeBRXRmgdPfrpbG88ClZg3B/QrChcKoxakU7vAzoOQBrhq7cQzIqy8MLr6zEo6RVohIQvvs7t5O3ycU1SLZ+JWaNySpIiEvXfxyJKItfTz8PgcRM1EHHpHQoyz8sk91ElGbxf+k+0VDsCF6cdaxAsnU6yrAWhsKh5U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TkmxXSXu; arc=none smtp.client-ip=209.85.221.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TkmxXSXu" Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-43cff5dafc3so760083f8f.1 for ; Thu, 30 Apr 2026 08:41:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777563708; x=1778168508; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=TkmxXSXu+XYTyV11z+SNTS4rOiC4ZBzszwaHLhyZoTCWBlZXex94X8gXqiQImNqbWp UQ1yCdi4Nxf0PZS2YOFhu/mnH9bs3IjkKHzhOCMeXkMqKlq3Ekuhl+l/QRZWRpf1IMGK baUYLi4FwlrQ48MF943hGL5w+B1SWsmrILJtfVMp94y/UFNbFjgETcDwvDex+D19qR4i Cdc7CfguGOtgvg7D8STowTlJsfRo26wnq5R4q7B5cS4LeJ0gBZSznd3Giz3rweZBp2hM FYoJahpMvPI0aIazx1127YRN733Z0ZIGvoXtpt+XGJp2y0NaCmrhlj+VxY60Vte/4ygg fNpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777563708; x=1778168508; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/1jOo4LrB4QdOIsyappS3L/Lh2AU+Kgh3i+w/0anQdk=; b=ppGxt6UD0ctqbdg571gM46HbBl+a4Hu6mMf6jOVzfAHZM2gwbaJzIqQP7XEPLNOprT V29Z/nlfs7Zwb1+bYn62e7SeOhnBe8AbWDfaex0eJcLDQuSWvF6R8BVPPCeq+NKieyd7 CFevR+rXe748iNs+jO3fj0vuo+osy89vp1Zn2oZt02hT+RoE3l8AYSKw0pQZfomXTjut qCs+/j/O/l8C1aSxTedBsGbFrdCRQRPUtLncPOriY9uZ7X0793j6VKNJns7g2Hq4d3fb 2iI4VlA+Ci/z3I2z7o1ZFcl+0t82++FvXlYfho/1fQwvJPHEVs+XMWBO8Ic8u6S0brmY P1Ow== X-Gm-Message-State: AOJu0YwlUcthf9YS3OjEGlS10KrP+x+vHPPyVlRCDrTGx7yDkIp9DR/8 OQWMcF9kSK89Aq89wogiLVCasaH70DtNVTB9JnBMR4kkiZYx58qiKMgX X-Gm-Gg: AeBDieslwewBLgQSUPiBN2i8XtGzyP/nIFlJfucUDcHT2yoCCql6KAR/BaCv2UJi190 uM7HNOftGe4XhzP7KhiIjaZFQFc6rwHQzeYON89gO8kNaE5XZjMgXqSm6qmwA2frdM8PTp2YYYO DIRABny1smfk1TFEACc2gLEzNspR/V3UgIB7dAonFlkD2ci2gppavc6LJ7Ku1l5zmTmwVgSMU8L KD9jjkJIEvTQ5OqQLVC7yW/3mkZW3u6CG0rQaWv+XRbekgFu8S537wxJCpjlEHHkCqT/d8EddV+ td0fDGIdXVVnk1MzlmaQNSlFNIpVpBIlsVykyD3o+yGw/mnogbS4coaDhV7P+LLjAxmN+z7uCND YuooO5xyoFcUGXpdB6zymbv22hk0auEAsy46Vq3a0ByTboFoeMH8WE3AbyEWzDrlwTC1jrxR/Nl +3pHKnmLvt8VvDZi8H/IUHX50PZA1blq4+RKfA2Juq8T4VviQFySxX7m7FkhaLS7QcmHOGbpOAx r9PPgf5wXQebwJS5G8rhXwEAy2tb7jAZz0z2w== X-Received: by 2002:a05:6000:184e:b0:43d:7d24:b510 with SMTP id ffacd0b85a97d-4493e5a7a64mr6025860f8f.22.1777563707827; Thu, 30 Apr 2026 08:41:47 -0700 (PDT) Received: from localhost.localdomain ([2a00:a041:e04f:2600:a0c9:1d35:8283:f96b]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-449c576d0a2sm3596521f8f.31.2026.04.30.08.41.46 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Thu, 30 Apr 2026 08:41:47 -0700 (PDT) From: Kai Zen To: netdev@vger.kernel.org Cc: stable@vger.kernel.org, edumazet@google.com, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, gregkh@linuxfoundation.org Subject: [PATCH net v3] net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo Date: Thu, 30 Apr 2026 18:41:35 +0300 Message-ID: <3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <20260430154135.htPzHX3cymuH_RQLVSUKVBWbq5mc2f0eRrrDCowvqL0@z> rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function. Fixes: 75345f888f70 ("ipoib: show VF broadcast address") Cc: stable@vger.kernel.org Signed-off-by: Kai Zen --- net/core/rtnetlink.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index b613bb6e0..df042da42 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1572,6 +1572,7 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, port_guid.vf = ivi.vf; memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac)); + memset(&vf_broadcast, 0, sizeof(vf_broadcast)); memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); vf_vlan.vlan = ivi.vlan; vf_vlan.qos = ivi.qos; -- 2.43.0