1 From foo@baz Sat Jan 5 08:35:42 CET 2019
2 From: Xin Long <lucien.xin@gmail.com>
3 Date: Mon, 10 Dec 2018 18:00:52 +0800
4 Subject: sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
6 From: Xin Long <lucien.xin@gmail.com>
8 [ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ]
10 syzbot reported a kernel-infoleak, which is caused by an uninitialized
11 field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event().
12 The call trace is as below:
14 BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
15 CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
19 __dump_stack lib/dump_stack.c:77 [inline]
20 dump_stack+0x32d/0x480 lib/dump_stack.c:113
21 kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
22 kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
23 kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
24 _copy_to_user+0x19a/0x230 lib/usercopy.c:33
25 copy_to_user include/linux/uaccess.h:183 [inline]
26 sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
27 sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
28 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
29 __sys_getsockopt+0x489/0x550 net/socket.c:1939
30 __do_sys_getsockopt net/socket.c:1950 [inline]
31 __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
32 __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
33 do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
34 entry_SYSCALL_64_after_hwframe+0x63/0xe7
36 sin6_flowinfo is not really used by SCTP, so it will be fixed by simply
39 The issue exists since very beginning.
40 Thanks Alexander for the reproducer provided.
42 Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
43 Signed-off-by: Xin Long <lucien.xin@gmail.com>
44 Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
45 Acked-by: Neil Horman <nhorman@tuxdriver.com>
46 Signed-off-by: David S. Miller <davem@davemloft.net>
47 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
50 1 file changed, 1 insertion(+)
54 @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct n
56 addr->a.v6.sin6_family = AF_INET6;
57 addr->a.v6.sin6_port = 0;
58 + addr->a.v6.sin6_flowinfo = 0;
59 addr->a.v6.sin6_addr = ifa->addr;
60 addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;