releases/3.18.132/sctp-initialize-sin6_flowinfo-for-ipv6-addrs-in-sctp_inet6addr_event.patch

   1 From foo@baz Sat Jan  5 08:35:42 CET 2019
   2 From: Xin Long <lucien.xin@gmail.com>
   3 Date: Mon, 10 Dec 2018 18:00:52 +0800
   4 Subject: sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
   5
   6 From: Xin Long <lucien.xin@gmail.com>
   7
   8 [ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ]
   9
  10 syzbot reported a kernel-infoleak, which is caused by an uninitialized
  11 field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event().
  12 The call trace is as below:
  13
  14   BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
  15   CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
  16   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
  17   Google 01/01/2011
  18   Call Trace:
  19     __dump_stack lib/dump_stack.c:77 [inline]
  20     dump_stack+0x32d/0x480 lib/dump_stack.c:113
  21     kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
  22     kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
  23     kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
  24     _copy_to_user+0x19a/0x230 lib/usercopy.c:33
  25     copy_to_user include/linux/uaccess.h:183 [inline]
  26     sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
  27     sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
  28     sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
  29     __sys_getsockopt+0x489/0x550 net/socket.c:1939
  30     __do_sys_getsockopt net/socket.c:1950 [inline]
  31     __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
  32     __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
  33     do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
  34     entry_SYSCALL_64_after_hwframe+0x63/0xe7
  35
  36 sin6_flowinfo is not really used by SCTP, so it will be fixed by simply
  37 setting it to 0.
  38
  39 The issue exists since very beginning.
  40 Thanks Alexander for the reproducer provided.
  41
  42 Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
  43 Signed-off-by: Xin Long <lucien.xin@gmail.com>
  44 Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
  45 Acked-by: Neil Horman <nhorman@tuxdriver.com>
  46 Signed-off-by: David S. Miller <davem@davemloft.net>
  47 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  48 ---
  49  net/sctp/ipv6.c |    1 +
  50  1 file changed, 1 insertion(+)
  51
  52 --- a/net/sctp/ipv6.c
  53 +++ b/net/sctp/ipv6.c
  54 @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct n
  55                 if (addr) {
  56                         addr->a.v6.sin6_family = AF_INET6;
  57                         addr->a.v6.sin6_port = 0;
  58 +                       addr->a.v6.sin6_flowinfo = 0;
  59                         addr->a.v6.sin6_addr = ifa->addr;
  60                         addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
  61                         addr->valid = 1;