Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp578596img; Fri, 22 Mar 2019 04:26:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqy36rBsohuPwvcJL1tFGeZl6Ig4vHhok9+LAH5MMgfD6Pju8cEDn8lYiZ35AYMmtsG7INw1 X-Received: by 2002:a17:902:274a:: with SMTP id j10mr8864983plg.277.1553253967769; Fri, 22 Mar 2019 04:26:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553253967; cv=none; d=google.com; s=arc-20160816; b=kPeBTYh9qfAX1In6KcS71H9H+GMUN/dBI46BB/zGs8eiyVURexMhkxjTt1olf0c8h4 dm5hpfusulNi2X3xakbMBs8jBTHojEJxc42VVFBTNdnLX/f90fe5wxKhX8g2N54LOZTq IZGcMTOYkNHWIlm9Qy9DGFINBvy+VUw69x/6+9TitKnrbewh13DbAl8o3ed0Y9rXfXJy 1wPe2zHCFeq3W1ZQsUFpN32eFB3PMrRYDMqgdWUhstL/oRLHbX2i3RG8IzZHTJeo0vLD 1ADsLQR9eUNPUIly2zs8vjrnDvq5LB8GgDgySHfz1Znj73O/GsrUAlyaqM2PscsRnD13 ibTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=suiQ0fqhYc9knCrznPWGnV9RU0clZOIJdPygoa+SsC8=; b=ONQ4EgvZuvR1AnRHgY8rhV9dahzag0MSQwYxyao/tLRIM8anC7P05uf5e8uAckzdan s7nlFsxWzdgMb9SnMVaCgWpwzwIAiURkC28LCYtVQwCZ9D2/nH2lL5ot+EEMjoiAJlRG zWsSr0p9ob4V3mPjsaW47aGgH5B4KGuvf/JsI/P5oA5o/jhaaLia+hH76U4CnejL1h1j CM/N0Hnv/keFdYAOWB3P1EetDh5tQur1DGXcrxozs1qa8OqoqEfnfd4zxXpeMo9QiIOV ZnndkxnuREbQGoqUPZ4xrEx6Jw9G8VTXgKbbJG0ZnA7FsFtX/BbNmUygPg8A+7e4L2dn L6aQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=z79NGlRZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d11si6394938pgh.447.2019.03.22.04.25.52; Fri, 22 Mar 2019 04:26:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=z79NGlRZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729112AbfCVLYX (ORCPT + 99 others); Fri, 22 Mar 2019 07:24:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:51440 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728560AbfCVLYW (ORCPT ); Fri, 22 Mar 2019 07:24:22 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F273221917; Fri, 22 Mar 2019 11:24:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553253861; bh=XdINCM/xnpHmOSvAO0QBVjNGPtn+C5kWzeqr3tPYn7g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=z79NGlRZ2XLeBDLb2TPE9y7J/b59rApMyR5mIbnPbd4jCmoiouf9Sf1PUMb3xhi/k gbynf21eGCqSGH9W2qMNCnMuZ4eWs+RPr2zw1xydtyhjoovWIuuvi3Aa/rTap5HtIQ eJVNjYK5oOzN48fjp/FmQDkiDtCuJtLTJt8WxpBw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 3.18 079/134] l2tp: fix infoleak in l2tp_ip6_recvmsg() Date: Fri, 22 Mar 2019 12:14:52 +0100 Message-Id: <20190322111215.827020776@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111210.465931067@linuxfoundation.org> References: <20190322111210.465931067@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet [ Upstream commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 ] Back in 2013 Hannes took care of most of such leaks in commit bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls") But the bug in l2tp_ip6_recvmsg() has not been fixed. syzbot report : BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x173/0x1d0 lib/dump_stack.c:113 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600 kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 copy_to_user include/linux/uaccess.h:174 [inline] move_addr_to_user+0x311/0x570 net/socket.c:227 ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283 do_recvmmsg+0x646/0x10c0 net/socket.c:2390 __sys_recvmmsg net/socket.c:2469 [inline] __do_sys_recvmmsg net/socket.c:2492 [inline] __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485 __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x445819 Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819 RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003 RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf Local variable description: ----addr@___sys_recvmsg Variable was created at: ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244 do_recvmmsg+0x646/0x10c0 net/socket.c:2390 Bytes 0-31 of 32 are uninitialized Memory access of size 32 starts at ffff8880ae62fbb0 Data copied to user address 0000000020000000 Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/l2tp/l2tp_ip6.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/net/l2tp/l2tp_ip6.c +++ b/net/l2tp/l2tp_ip6.c @@ -666,9 +666,6 @@ static int l2tp_ip6_recvmsg(struct kiocb if (flags & MSG_OOB) goto out; - if (addr_len) - *addr_len = sizeof(*lsa); - if (flags & MSG_ERRQUEUE) return ipv6_recv_error(sk, msg, len, addr_len); @@ -698,6 +695,7 @@ static int l2tp_ip6_recvmsg(struct kiocb lsa->l2tp_conn_id = 0; if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL) lsa->l2tp_scope_id = inet6_iif(skb); + *addr_len = sizeof(*lsa); } if (np->rxopt.all)