Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp260946img;
        Mon, 18 Mar 2019 02:30:32 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzEB2vr81AE6opofn92+zpQhhI+/AoNBsqyJnzwbD0ZfLqNfZM/oubB7eUIsADYL9k4mPgZ
X-Received: by 2002:a17:902:bb86:: with SMTP id m6mr18787636pls.4.1552901432451;
        Mon, 18 Mar 2019 02:30:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552901432; cv=none;
        d=google.com; s=arc-20160816;
        b=SQ8fr3UwLL9Iocf4nocHA6zNy3OwjuLG9NR+721yWSE4rXefnSYArTeyJ+iMK/kF4x
         G6GkSOD9Udo/6KNRXdV581NzPe85OW9wFX2iEsLaCWMqGfPOr3IiiiNmybAqUoJnxJh/
         HxdAw+njc+4Gmo/6FUeApx2kkmYD81841V+H0Xfr+o2C5G0XV8gE/+OdXy+pg8qHK13R
         GYsWDtRT1WkibsHXjLH7AJXjLYs+CTUfd7rd0Vo9enuFg0O2tJ9M3LC6L/KLWuK/tM35
         vsPglScFEfIw8PQdYePnimFZsswJmrOCG4iRLVpq+ovJa3S7eImCdhOrrIYm6aYJL6RX
         beyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=LmchA97oMUClPD6rAq6aDAgqXZ/xtKqGHbIs9gGaTqM=;
        b=o82xrNY35tcPEl86B/CLqG4POPfV7C2T9nlKpX8IseQjHaCrTirTuxaZSMujypqyUY
         J3/6ofdg6SZnp0233pin3poyzIQ6fIgSOqeHTJrqDmoOLFIPZVzXIuYrWzUfgG59ZTVH
         4l3GtWIA7UGxcQAIfrbbN53LoKlDqxOks68m+81yfiM43tGRFDDMVl0sDC2oAdZxhObE
         pZgww/OZOocNZ5kR2P9v2DH6JgHaxDX5QJqfvERuFjGNGf2dNFCqhpE6MpIhT0PDwVQQ
         dBvaiRbsS6xFAb2k7m7VI+54l0lnX6jYUeQJaJyydBDh+JoV5pULFwWKLjkEFKEvzEUo
         +9XA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=jd1BYmb0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r133si8622913pgr.175.2019.03.18.02.30.16;
        Mon, 18 Mar 2019 02:30:32 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=jd1BYmb0;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728146AbfCRJ2x (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Mon, 18 Mar 2019 05:28:53 -0400
Received: from mail.kernel.org ([198.145.29.99]:34878 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727674AbfCRJ2u (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Mar 2019 05:28:50 -0400
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id C0FD62083D;
        Mon, 18 Mar 2019 09:28:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1552901329;
        bh=QyV6D9m5d/i+f2kGy6TaB9r8UYBsmAHfqlibIwu2GqU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=jd1BYmb0YsHkop7hB7yZBupW89U0NLFcc9MVUdc7/WqKEo0m0Po328NCZBs2hkrl+
         yMfOT0rOnXiXnrS/uCrWwL9WhoLWOXeJLjc0GKjD3uAOP4v8K0U1dZJRFY8yKpQZrv
         JEIjPGMmZYlsobzC3H8wdIJBBa3NM4INkTkfFygY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
        syzbot <syzkaller@googlegroups.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.20 04/52] l2tp: fix infoleak in l2tp_ip6_recvmsg()
Date:   Mon, 18 Mar 2019 10:24:51 +0100
Message-Id: <20190318083843.917472386@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190318083843.398913295@linuxfoundation.org>
References: <20190318083843.398913295@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 ]

Back in 2013 Hannes took care of most of such leaks in commit
bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")

But the bug in l2tp_ip6_recvmsg() has not been fixed.

syzbot report :

BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
 kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
 copy_to_user include/linux/uaccess.h:174 [inline]
 move_addr_to_user+0x311/0x570 net/socket.c:227
 ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
 do_recvmmsg+0x646/0x10c0 net/socket.c:2390
 __sys_recvmmsg net/socket.c:2469 [inline]
 __do_sys_recvmmsg net/socket.c:2492 [inline]
 __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
 __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x445819
Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf

Local variable description: ----addr@___sys_recvmsg
Variable was created at:
 ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
 do_recvmmsg+0x646/0x10c0 net/socket.c:2390

Bytes 0-31 of 32 are uninitialized
Memory access of size 32 starts at ffff8880ae62fbb0
Data copied to user address 0000000020000000

Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/l2tp/l2tp_ip6.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -674,9 +674,6 @@ static int l2tp_ip6_recvmsg(struct sock
 	if (flags & MSG_OOB)
 		goto out;
 
-	if (addr_len)
-		*addr_len = sizeof(*lsa);
-
 	if (flags & MSG_ERRQUEUE)
 		return ipv6_recv_error(sk, msg, len, addr_len);
 
@@ -706,6 +703,7 @@ static int l2tp_ip6_recvmsg(struct sock
 		lsa->l2tp_conn_id = 0;
 		if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
 			lsa->l2tp_scope_id = inet6_iif(skb);
+		*addr_len = sizeof(*lsa);
 	}
 
 	if (np->rxopt.all)