--- /dev/null
+From bbc8a99e952226c585ac17477a85ef1194501762 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Thu, 30 Jul 2020 15:20:26 -0400
+Subject: rds: Prevent kernel-infoleak in rds_notify_queue_get()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit bbc8a99e952226c585ac17477a85ef1194501762 upstream.
+
+rds_notify_queue_get() is potentially copying uninitialized kernel stack
+memory to userspace since the compiler may leave a 4-byte hole at the end
+of `cmsg`.
+
+In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which
+unfortunately does not always initialize that 4-byte hole. Fix it by using
+memset() instead.
+
+Cc: stable@vger.kernel.org
+Fixes: f037590fff30 ("rds: fix a leak of kernel memory")
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/recv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -301,12 +301,13 @@ static int rds_still_queued(struct rds_s
+ int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr)
+ {
+ struct rds_notifier *notifier;
+- struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */
++ struct rds_rdma_notify cmsg;
+ unsigned int count = 0, max_messages = ~0U;
+ unsigned long flags;
+ LIST_HEAD(copy);
+ int err = 0;
+
++ memset(&cmsg, 0, sizeof(cmsg)); /* fill holes with zero */
+
+ /* put_cmsg copies to user space and thus may sleep. We can't do this
+ * with rs_lock held, so first grab as many notifications as we can stuff
projects / thirdparty / kernel / stable-queue.git / commitdiff
