releases/5.0.3/l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch

   1 From foo@baz Thu Mar 14 23:19:55 PDT 2019
   2 From: Eric Dumazet <edumazet@google.com>
   3 Date: Tue, 12 Mar 2019 06:50:11 -0700
   4 Subject: l2tp: fix infoleak in l2tp_ip6_recvmsg()
   5
   6 From: Eric Dumazet <edumazet@google.com>
   7
   8 [ Upstream commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 ]
   9
  10 Back in 2013 Hannes took care of most of such leaks in commit
  11 bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
  12
  13 But the bug in l2tp_ip6_recvmsg() has not been fixed.
  14
  15 syzbot report :
  16
  17 BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
  18 CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
  19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  20 Call Trace:
  21  __dump_stack lib/dump_stack.c:77 [inline]
  22  dump_stack+0x173/0x1d0 lib/dump_stack.c:113
  23  kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
  24  kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
  25  kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
  26  _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
  27  copy_to_user include/linux/uaccess.h:174 [inline]
  28  move_addr_to_user+0x311/0x570 net/socket.c:227
  29  ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
  30  do_recvmmsg+0x646/0x10c0 net/socket.c:2390
  31  __sys_recvmmsg net/socket.c:2469 [inline]
  32  __do_sys_recvmmsg net/socket.c:2492 [inline]
  33  __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
  34  __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
  35  do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
  36  entry_SYSCALL_64_after_hwframe+0x63/0xe7
  37 RIP: 0033:0x445819
  38 Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
  39 RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
  40 RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
  41 RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
  42 RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
  43 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
  44 R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf
  45
  46 Local variable description: ----addr@___sys_recvmsg
  47 Variable was created at:
  48  ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
  49  do_recvmmsg+0x646/0x10c0 net/socket.c:2390
  50
  51 Bytes 0-31 of 32 are uninitialized
  52 Memory access of size 32 starts at ffff8880ae62fbb0
  53 Data copied to user address 0000000020000000
  54
  55 Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
  56 Signed-off-by: Eric Dumazet <edumazet@google.com>
  57 Reported-by: syzbot <syzkaller@googlegroups.com>
  58 Signed-off-by: David S. Miller <davem@davemloft.net>
  59 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  60 ---
  61  net/l2tp/l2tp_ip6.c |    4 +---
  62  1 file changed, 1 insertion(+), 3 deletions(-)
  63
  64 --- a/net/l2tp/l2tp_ip6.c
  65 +++ b/net/l2tp/l2tp_ip6.c
  66 @@ -674,9 +674,6 @@ static int l2tp_ip6_recvmsg(struct sock
  67         if (flags & MSG_OOB)
  68                 goto out;
  69
  70 -       if (addr_len)
  71 -               *addr_len = sizeof(*lsa);
  72 -
  73         if (flags & MSG_ERRQUEUE)
  74                 return ipv6_recv_error(sk, msg, len, addr_len);
  75
  76 @@ -706,6 +703,7 @@ static int l2tp_ip6_recvmsg(struct sock
  77                 lsa->l2tp_conn_id = 0;
  78                 if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
  79                         lsa->l2tp_scope_id = inet6_iif(skb);
  80 +               *addr_len = sizeof(*lsa);
  81         }
  82
  83         if (np->rxopt.all)