]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob - queue-4.4/xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
projects / thirdparty / kernel / stable-queue.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Linux 4.9.124
[thirdparty/kernel/stable-queue.git] / queue-4.4 / xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
1 From 45c180bc29babbedd6b8c01b975780ef44d9d09c Mon Sep 17 00:00:00 2001
2 From: Eric Dumazet <edumazet@google.com>
3 Date: Mon, 18 Jun 2018 21:35:07 -0700
4 Subject: xfrm_user: prevent leaking 2 bytes of kernel memory
5
6 From: Eric Dumazet <edumazet@google.com>
7
8 commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.
9
10 struct xfrm_userpolicy_type has two holes, so we should not
11 use C99 style initializer.
12
13 KMSAN report:
14
15 BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
16 BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
17 CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
19 Call Trace:
20 __dump_stack lib/dump_stack.c:77 [inline]
21 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
22 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
23 kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
24 kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
25 copyout lib/iov_iter.c:140 [inline]
26 _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
27 copy_to_iter include/linux/uio.h:106 [inline]
28 skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
29 skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
30 netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
31 sock_recvmsg_nosec net/socket.c:802 [inline]
32 sock_recvmsg+0x1d6/0x230 net/socket.c:809
33 ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
34 __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
35 do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
36 __do_sys_recvmmsg net/socket.c:2485 [inline]
37 __se_sys_recvmmsg net/socket.c:2481 [inline]
38 __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
39 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
40 entry_SYSCALL_64_after_hwframe+0x44/0xa9
41 RIP: 0033:0x446ce9
42 RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
43 RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
44 RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
45 RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
46 R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
47 R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
48
49 Uninit was stored to memory at:
50 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
51 kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
52 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
53 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
54 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
55 __nla_put lib/nlattr.c:569 [inline]
56 nla_put+0x276/0x340 lib/nlattr.c:627
57 copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
58 dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
59 xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
60 xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
61 netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
62 __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
63 netlink_dump_start include/linux/netlink.h:214 [inline]
64 xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
65 netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
66 xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
67 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
68 netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
69 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
70 sock_sendmsg_nosec net/socket.c:629 [inline]
71 sock_sendmsg net/socket.c:639 [inline]
72 ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
73 __sys_sendmsg net/socket.c:2155 [inline]
74 __do_sys_sendmsg net/socket.c:2164 [inline]
75 __se_sys_sendmsg net/socket.c:2162 [inline]
76 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
77 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
78 entry_SYSCALL_64_after_hwframe+0x44/0xa9
79 Local variable description: ----upt.i@dump_one_policy
80 Variable was created at:
81 dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
82 xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
83
84 Byte 130 of 137 is uninitialized
85 Memory access starts at ffff88019550407f
86
87 Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
88 Signed-off-by: Eric Dumazet <edumazet@google.com>
89 Reported-by: syzbot <syzkaller@googlegroups.com>
90 Cc: Steffen Klassert <steffen.klassert@secunet.com>
91 Cc: Herbert Xu <herbert@gondor.apana.org.au>
92 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
93 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
94
95 ---
96 net/xfrm/xfrm_user.c | 8 +++++---
97 1 file changed, 5 insertions(+), 3 deletions(-)
98
99 --- a/net/xfrm/xfrm_user.c
100 +++ b/net/xfrm/xfrm_user.c
101 @@ -1624,9 +1624,11 @@ static inline size_t userpolicy_type_att
102 #ifdef CONFIG_XFRM_SUB_POLICY
103 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
104 {
105 - struct xfrm_userpolicy_type upt = {
106 - .type = type,
107 - };
108 + struct xfrm_userpolicy_type upt;
109 +
110 + /* Sadly there are two holes in struct xfrm_userpolicy_type */
111 + memset(&upt, 0, sizeof(upt));
112 + upt.type = type;
113
114 return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
115 }
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git