Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2448655yba; Mon, 15 Apr 2019 11:51:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqym3fdHhio8aLwmxvr3fJO8Kz/VrVwfjAULzM7VCX9IV5oVvDB+hTDJ1SmUr9B3/8N4a2c8 X-Received: by 2002:a17:902:7081:: with SMTP id z1mr77733292plk.252.1555354313631; Mon, 15 Apr 2019 11:51:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555354313; cv=none; d=google.com; s=arc-20160816; b=ctnW0eygzlTRSOF2yj0xgMKT52C139oWdJ+5utwTBVG6/H8Th9k90bh/JIoRYWC8Wv znQKXOv9KwzCM0+NUD9hDwnOnz6OrX3ZiuFWqccql2R3+SZoQdprZkMN7mDAychpzQbw e+rTee2nv8R2CxJt2DXLCoPGS0kCKep9gOZVzN5I3Ub+VL+zacnatM56EKDWmHVERXIj toMsbKMsbCDPNd0bAfplpotdkEfSWQLLp2vrxbPNCReyD8OggVVValqEcA4AYILicS1S uDzX7k0DlfqxE3xQN8+UOWeojCgu3ITXEmGZM6yjZDt0JeLhG8p6Kt2ciHiAw8lzgCPZ 2Vdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cYNi4iHzbBTRB2fCL9oehukugxzjp/evAIt8t0/YC8s=; b=VenN6ShLsmhvQG+m144ePZ+h/gPJC1NOsQRSq6a2SRS6tYF1Ju4svlCJ03Vt3qvB47 WTPK9MwdRINwBPlLlnTMFFz7eD0aG/ZSekKyJSRTS6nbpdL72FqrsqglJBv4FCuyM+Dm RD1mUHy7iM32WAgfs99zlgZ78bMTDaXGCl2BI0PtdpRg2dj1jhQMwhnlY8SuMSF107/Y JzZgEZN/JYaGmNjmgxzttKwt4KW6k/CEKZgYgvvXAFXsyw+8SaCAdsj/nvzvEZP5EyJ3 4/yWXqB95mCpnvho+gzhJ6FBauHkeXWsDeZ0pf4rdwbNOUvysUX7SKf7SCnZuQqXcrAi FtuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nv2evaoF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3si32718336plo.300.2019.04.15.11.51.37; Mon, 15 Apr 2019 11:51:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nv2evaoF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728771AbfDOSq6 (ORCPT + 99 others); Mon, 15 Apr 2019 14:46:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:49780 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728721AbfDOSqy (ORCPT ); Mon, 15 Apr 2019 14:46:54 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7581C2073F; Mon, 15 Apr 2019 18:46:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555354013; bh=y0ykGUEIM+gGdYXqciO5su2tkgLyfcyxEFeGzKd19SU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nv2evaoFAwmyj+04ddD14og40/SX2u8dDFwbjAQwFGT5ZqA+QOizKaXjk5GLyIrhE MP7DNG99yYpup8MR0EOY6CPSKAIEgwE/SVRUX578r5I5WOid/MqrhM6ay9035Vc7Pq GXFhsy8WO9+XLUm38B1cFEIxHC9tTDZGQccCXA4g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com, Xin Long , Alexander Potapenko , Neil Horman , "David S. Miller" Subject: [PATCH 4.9 54/76] sctp: initialize _pad of sockaddr_in before copying to user memory Date: Mon, 15 Apr 2019 20:44:18 +0200 Message-Id: <20190415183722.684388791@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190415183707.712011689@linuxfoundation.org> References: <20190415183707.712011689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 09279e615c81ce55e04835970601ae286e3facbe ] Syzbot report a kernel-infoleak: BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 Call Trace: _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 copy_to_user include/linux/uaccess.h:174 [inline] sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline] sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562 ... Uninit was stored to memory at: sctp_transport_init net/sctp/transport.c:61 [inline] sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115 sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637 sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline] sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361 ... Bytes 8-15 of 16 are uninitialized It was caused by that th _pad field (the 8-15 bytes) of a v4 addr (saved in struct sockaddr_in) wasn't initialized, but directly copied to user memory in sctp_getsockopt_peer_addrs(). So fix it by calling memset(addr->v4.sin_zero, 0, 8) to initialize _pad of sockaddr_in before copying it to user memory in sctp_v4_addr_to_user(), as sctp_v6_addr_to_user() does. Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com Signed-off-by: Xin Long Tested-by: Alexander Potapenko Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/protocol.c | 1 + 1 file changed, 1 insertion(+) --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c @@ -600,6 +600,7 @@ out: static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr) { /* No address mapping for V4 sockets */ + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); return sizeof(struct sockaddr_in); }