Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3590620imu; Mon, 10 Dec 2018 04:53:15 -0800 (PST) X-Google-Smtp-Source: AFSGD/Vm1de2uGQ43ZSNf9OPMxXoFC+IdmYRkNHoiHVAOXxxYZ8tiVt1W0eM1bxUm7iG1kRzsxsO X-Received: by 2002:a17:902:b40d:: with SMTP id x13mr12230926plr.237.1544446395842; Mon, 10 Dec 2018 04:53:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544446395; cv=none; d=google.com; s=arc-20160816; b=BKjMaXxpEoHUUZ5/8Zp0XTxnKod1/di4oe/l7HoB+s8Pn6HJjspsz0wvk94D5owvGf oWmqsCautiT2O//L/wuSRsANHF4ngoJBnDaHZTn7rExkuhLLnghBN8xFzW3s/l3sWGbp nbsNmL3K1YiCzFcHpJXKNDQnsCLRXE59odg4HUMusAz2lR4XM0gizTRU6T9z31ZVJibj wahcWKLgPUk3o9UdzjSL0A3Wm0ubuXNN4YRudgjo9Lc9CnIgHJ+AqUUHc+X+7pHaTbEu Hk7Mud7NeUeXuMEJJGbjNzEbZlm2z2l1eMsfh8BwacDhP/FtPE3YYZcJBiuIC20IvMLq coEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=pv61ojITUBeuClHonfp+AD3frvEjNctJBYLq7PyUmHQ=; b=0rkD8VKJraqrRC938YEf05/d80lL/tIYGFvvUKKKfjTzaiSaNMAEHVlnOxaNsAmNIR 1SPoaXek2ZTrfMcRnTPvqINfQig99GIYVndNvXqlUS/wdOxJMzxUZq2WU1yjr6bnqc74 u6DRor4C+vCn/nsvQcYBvMJNXdwJ0G5QJpwtAjgL2fa/CmG/FO4UZrkn4EZoCmVXpNjj WIox5oR673F0+/GIK3p3XH6SWFXPFJxGMC1521e5AHJ8HUbgQIeSDJirKsI/7Q37yzu5 vvOglk/hRJSbSOiXC1HY5fBDqn4f+O6G7ni30KwfUIhNP5sxWp5n8Vhit7dMJHQhj6aO nDDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f28si10241668pff.131.2018.12.10.04.53.00; Mon, 10 Dec 2018 04:53:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727208AbeLJMZU (ORCPT + 99 others); Mon, 10 Dec 2018 07:25:20 -0500 Received: from charlotte.tuxdriver.com ([70.61.120.58]:52366 "EHLO smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726324AbeLJMZU (ORCPT ); Mon, 10 Dec 2018 07:25:20 -0500 Received: from cpe-2606-a000-111b-405a-a193-cb97-58ba-1c15.dyn6.twc.com ([2606:a000:111b:405a:a193:cb97:58ba:1c15] helo=localhost) by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1gWKcT-0001Vg-1L; Mon, 10 Dec 2018 07:25:17 -0500 Date: Mon, 10 Dec 2018 07:24:36 -0500 From: Neil Horman To: Xin Long Cc: linux-kernel@vger.kernel.org, network dev , linux-sctp@vger.kernel.org, davem@davemloft.net, Marcelo Ricardo Leitner Subject: Re: [PATCH net] sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event Message-ID: <20181210122436.GA4499@hmswarspite.think-freely.org> References: <4c3dc15beee77a541042f79f35702574347dffc9.1544436052.git.lucien.xin@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4c3dc15beee77a541042f79f35702574347dffc9.1544436052.git.lucien.xin@gmail.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Score: -2.9 (--) X-Spam-Status: No Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 10, 2018 at 06:00:52PM +0800, Xin Long wrote: > syzbot reported a kernel-infoleak, which is caused by an uninitialized > field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event(). > The call trace is as below: > > BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33 > CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x32d/0x480 lib/dump_stack.c:113 > kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683 > kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743 > kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634 > _copy_to_user+0x19a/0x230 lib/usercopy.c:33 > copy_to_user include/linux/uaccess.h:183 [inline] > sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline] > sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477 > sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 > __sys_getsockopt+0x489/0x550 net/socket.c:1939 > __do_sys_getsockopt net/socket.c:1950 [inline] > __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 > __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 > do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 > entry_SYSCALL_64_after_hwframe+0x63/0xe7 > > sin6_flowinfo is not really used by SCTP, so it will be fixed by simply > setting it to 0. > > The issue exists since very beginning. > Thanks Alexander for the reproducer provided. > > Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com > Signed-off-by: Xin Long > --- > net/sctp/ipv6.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c > index fc6c5e4..7f0539d 100644 > --- a/net/sctp/ipv6.c > +++ b/net/sctp/ipv6.c > @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev, > if (addr) { > addr->a.v6.sin6_family = AF_INET6; > addr->a.v6.sin6_port = 0; > + addr->a.v6.sin6_flowinfo = 0; > addr->a.v6.sin6_addr = ifa->addr; > addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex; > addr->valid = 1; > -- > 2.1.0 > > Acked-by: Neil Horman