net: sched: act_connmark: initialize struct tc_ife to fix kernel leak

In tcf_connmark_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.

Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.

Reported-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0c85cae3350b7d486aee
Tested-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
Fixes: 22a5dc0e5e3e ("net: sched: Introduce connmark action")
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251109091336.9277-2-vnranganath.20@gmail.com
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
index 3e89927d711647d75f31c8d80a3ddd102e3d2e36..26ba8c2d20abf3e083f1388d603113cf9c8ff308 100644 (file)
--- a/net/sched/act_connmark.c
+++ b/net/sched/act_connmark.c
@@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
        const struct tcf_connmark_info *ci = to_connmark(a);
        unsigned char *b = skb_tail_pointer(skb);
        const struct tcf_connmark_parms *parms;
-       struct tc_connmark opt = {
-               .index   = ci->tcf_index,
-               .refcnt  = refcount_read(&ci->tcf_refcnt) - ref,
-               .bindcnt = atomic_read(&ci->tcf_bindcnt) - bind,
-       };
+       struct tc_connmark opt;
        struct tcf_t t;
 
+       memset(&opt, 0, sizeof(opt));
+
+       opt.index   = ci->tcf_index;
+       opt.refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
+       opt.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;
+
        rcu_read_lock();
        parms = rcu_dereference(ci->parms);