git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Eric Dumazet <edumazet@google.com>
	Thu, 30 Apr 2026 07:06:11 +0000 (07:06 +0000)
committer	Jakub Kicinski <kuba@kernel.org>
	Sat, 2 May 2026 00:01:40 +0000 (17:01 -0700)
commit	4f34002e2e37639133693c13a2a9977fab86880d
tree	687078f25a5346c6d83292cd034b5e99418f9f01	tree \| snapshot
parent	f93836b236773862e9ee268a82e3614caf77ea01	commit \| diff

ipmr: prevent info-leak in pmr_cache_report()

Yiming Qian reported:

<quote>
ipmr_cache_report()` allocates a report skb with `alloc_skb(128,
GFP_ATOMIC)` and appends a `struct igmphdr` using `skb_put()`. In the
non-`IGMPMSG_WHOLEPKT` path it initializes only:

- `igmp->type`
- `igmp->code`

but does not initialize:

- `igmp->csum`
- `igmp->group`

Later, `igmpmsg_netlink_event()` copies the bytes after `sizeof(struct
igmpmsg)` into the `IPMRA_CREPORT_PKT` netlink attribute and emits
`RTM_NEWCACHEREPORT` on `RTNLGRP_IPV4_MROUTE_R`.

As a result, 6 bytes of stale heap data from the skb head are
disclosed to userspace.
</quote>

Let's use skb_put_zero() instead of skb_put() to fix this bug.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260430070611.4004529-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>