tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR

In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an
uninitialised on-stack struct sockaddr_storage to userspace via
ifr_hwaddr, but netif_get_mac_address() only writes sa_family and
dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised.

Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a
macvtap chardev returns kernel .text and direct-map pointers, defeating
KASLR.

Initialise ss at declaration.

Fixes: 3b23a32a6321 ("net: fix dev_ifsioc_locked() race condition")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260520075736.3415676-3-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index b8240737dc519a534631216bb0a11bdeae64e33d..a590e07ce0a98c7a795b82c3471a0b4446bebeed 100644 (file)
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -919,11 +919,11 @@ static long tap_ioctl(struct file *file, unsigned int cmd,
        struct tap_queue *q = file->private_data;
        struct tap_dev *tap;
        void __user *argp = (void __user *)arg;
+       struct sockaddr_storage ss = {};
        struct ifreq __user *ifr = argp;
        unsigned int __user *up = argp;
        unsigned short u;
        int __user *sp = argp;
-       struct sockaddr_storage ss;
        int s;
        int ret;