Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3726182imu;
        Mon, 7 Jan 2019 08:21:54 -0800 (PST)
X-Google-Smtp-Source: ALg8bN5KNQYu3cNt4D7x+PyjPFLlCK4Yyvu8o+6xo4qSPaYOoNVQRe/ha1P4lMUeEINC0oqzLRNG
X-Received: by 2002:a65:4049:: with SMTP id h9mr57655081pgp.304.1546878114773;
        Mon, 07 Jan 2019 08:21:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546878114; cv=none;
        d=google.com; s=arc-20160816;
        b=aykrJdPR6vkjzL3GBmZOSSlmftW/0t0+vTTmdlC2RhhxAmqlACcQ5zLpUEC7oO8XcJ
         DmUpLvH/udBk8seI/39SWi9TAeXxoVdsxVDwLVQAa48znlx4lq4ELC575/ydpIrxrxZf
         8rsAxXpCQJOqS2+WnLPmHtyAEIGC4AK5KhKcItr7FBNYC5Q62MxbMGHqug7UoCSBZTC9
         qDElFRS9+PO0U31/NizEcAU3lhKtH97a1MVnhYEUDfQZcGrthjkT+Ca71UL4RMHIchik
         2gtYplEMH1mD//K9LZ6axLodr7mssqIypIVsHPAp3k9bZx4FFiSRxp4QOZcq+g9bTgON
         2yaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=yLSe2Ea2IGmxdcPAyVyjiH/FNBKEad1HO+T+diXJv5A=;
        b=pRckNu9AkgBBSdGu09iQkNjrGkGOtH04ym8EvWCr+DyGMh2IG/48L1M4xoKQ5B14Iv
         DwKcvGBDG/IgIhegZgu7lpUExsHjJITurJ/6Sn8F6k/Nru+93oxQ+HE9sSJlbQVF78sI
         iWTpMSLRjbrxtsI/WUJ039roG2EsedEKiuJw4DLqu6P2NQFxNU6VlfD+gVYVAoBLD6FB
         7Kz8baS2LdpYxLTTLgO/FNYDc/DJeLMju5QZW6gQHEm63QnH39JAPIeNSOAfc6P1iCNp
         w9jQ+tO9iEHxMNnwJt3aCZQg/bCcZNS/1u3lwhlbFPu8NGCt0KHIztKSJwslmKD3fhKz
         bBqg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=KcVL2PYj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a2si23307055pgd.461.2019.01.07.08.21.39;
        Mon, 07 Jan 2019 08:21:54 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=KcVL2PYj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727592AbfAGNF3 (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Mon, 7 Jan 2019 08:05:29 -0500
Received: from mail.kernel.org ([198.145.29.99]:53178 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729264AbfAGNF0 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 Jan 2019 08:05:26 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 756712089F;
        Mon,  7 Jan 2019 13:05:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1546866325;
        bh=LviuQ4wqKY9jMJeavmJxa8wnrBVJh9im2XzkCi/XqRQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=KcVL2PYjipFSZzzZmNT5Jse1ExY7u7YdOL/yp9UbBTXTbNalY/Tx8aSI25Bto00e4
         txI9F4hp0FqUoG/WzLl4N98mEXHYDgDqvn7pafOTyUMsmHl7WeRrjfNFw1Vz9i+vFD
         Vg9u0HlYNIP0+HWHfjPICplpDIAAAjUCcdrK1zj4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com,
        Xin Long <lucien.xin@gmail.com>,
        Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
        Neil Horman <nhorman@tuxdriver.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 18/71] sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
Date:   Mon,  7 Jan 2019 13:32:47 +0100
Message-Id: <20190107105332.939015640@linuxfoundation.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190107105330.280153213@linuxfoundation.org>
References: <20190107105330.280153213@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ]

syzbot reported a kernel-infoleak, which is caused by an uninitialized
field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event().
The call trace is as below:

  BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
  CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
  Google 01/01/2011
  Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x32d/0x480 lib/dump_stack.c:113
    kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
    kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
    kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
    _copy_to_user+0x19a/0x230 lib/usercopy.c:33
    copy_to_user include/linux/uaccess.h:183 [inline]
    sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
    sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
    sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
    __sys_getsockopt+0x489/0x550 net/socket.c:1939
    __do_sys_getsockopt net/socket.c:1950 [inline]
    __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
    __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
    do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
    entry_SYSCALL_64_after_hwframe+0x63/0xe7

sin6_flowinfo is not really used by SCTP, so it will be fixed by simply
setting it to 0.

The issue exists since very beginning.
Thanks Alexander for the reproducer provided.

Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/ipv6.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct n
 		if (addr) {
 			addr->a.v6.sin6_family = AF_INET6;
 			addr->a.v6.sin6_port = 0;
+			addr->a.v6.sin6_flowinfo = 0;
 			addr->a.v6.sin6_addr = ifa->addr;
 			addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
 			addr->valid = 1;