Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2478387yba; Mon, 15 Apr 2019 12:29:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqwmG6KFedkJpm1xsvsbCsoCFeTwMZ7kVCLQ52uRblMEhVdV2/Xel1yEQhfsDn0hnrFjLcg0 X-Received: by 2002:a17:902:9881:: with SMTP id s1mr73896313plp.99.1555356562978; Mon, 15 Apr 2019 12:29:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555356562; cv=none; d=google.com; s=arc-20160816; b=DrZ2KbS+n0Bvbm8+02qhynarcNKvSnH/cEdE8TPeYdxQHywKrvwEi0NaMe4FH/EoK2 sHBNokDOar54ZZnyjJu+EI6h1dRcRiZ9gsKI5z1krISVJVDnAk8EuYZ1s10xmwnpQgaG A2+lbafvMPb/fOC7eTeTElauwRRLrML63m3OmZbhJsA9lKoeD4eRsiVjv2r4OKI/bYtN G+0V6oQNMkvCZOPnnRLeIvTLyGWbqKeT8vUJUmVeed1CzhWXDvfMequnG5btAsR5UHIO 3KnMT8k9YmtjCHK+BF5CMEodFBXlSaDYqIsUoVLg72UQnTmSKW8htT/5EF6Ax8K+muXv 97vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QoZZVCKnfeneXZ4UQmjw6PwOSHhGtQJtcboQPnaMiZw=; b=L12HS0F2uC40OgFZHTV9jsVu8b8uSz+EKA2HJvvOyRaoa/8vluzqzPrH2RCeGfRj/L NNEPTV8uDyo3k4ceuWh+u0CUnFnIYALCXdCGGa/FhRV11sNqE2+izEIj72r0/k85UKtw Hi2+JyEkcTLNMZA3fTrm1857PTyyVKdC0aZAK+0V0zlLU2WdYf6dnwZpcHlzOdBFBHWU ehI1qKmIXsrfmc5xojK2FirTBStSGdnpxqVm4OTcynxZ4VHGwmWhYYldGXsUBI8Vog2g UCjrz1i8WUIvzVm4zfD5fmWkoRTmwvUH43FlsK4rmV+aa7haepGYk+st35qCZKoi2mv8 vluA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uPn8pfMp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v77si48287287pfa.219.2019.04.15.12.29.06; Mon, 15 Apr 2019 12:29:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uPn8pfMp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730216AbfDOT1y (ORCPT + 99 others); Mon, 15 Apr 2019 15:27:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:35536 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729266AbfDOTDf (ORCPT ); Mon, 15 Apr 2019 15:03:35 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B275F20880; Mon, 15 Apr 2019 19:03:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555355014; bh=Bo1jzhDrB2dD9zr9fnDhpdiOJwj1+cjfFpJuZDwfZok=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uPn8pfMprZRuzWa6Me1BSf6qX38lfUJ+Y9o9nYBOICkBHGzkw/zeQIwKkygXMYo5F +Bbjdm+dNqp6sKnDB9XyHpAJumooHGbzi7oVbZsvw9jNn5QeSDEV5Bf4AvKyJlmN9V YUFIoag80IRzCu8Dg5twPFlizrjg67JNAEq1vKjo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com, Xin Long , Alexander Potapenko , Neil Horman , "David S. Miller" Subject: [PATCH 4.14 25/69] sctp: initialize _pad of sockaddr_in before copying to user memory Date: Mon, 15 Apr 2019 20:58:43 +0200 Message-Id: <20190415183731.063370048@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190415183726.036654568@linuxfoundation.org> References: <20190415183726.036654568@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 09279e615c81ce55e04835970601ae286e3facbe ] Syzbot report a kernel-infoleak: BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 Call Trace: _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 copy_to_user include/linux/uaccess.h:174 [inline] sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline] sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562 ... Uninit was stored to memory at: sctp_transport_init net/sctp/transport.c:61 [inline] sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115 sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637 sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline] sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361 ... Bytes 8-15 of 16 are uninitialized It was caused by that th _pad field (the 8-15 bytes) of a v4 addr (saved in struct sockaddr_in) wasn't initialized, but directly copied to user memory in sctp_getsockopt_peer_addrs(). So fix it by calling memset(addr->v4.sin_zero, 0, 8) to initialize _pad of sockaddr_in before copying it to user memory in sctp_v4_addr_to_user(), as sctp_v6_addr_to_user() does. Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com Signed-off-by: Xin Long Tested-by: Alexander Potapenko Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/protocol.c | 1 + 1 file changed, 1 insertion(+) --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c @@ -605,6 +605,7 @@ out: static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr) { /* No address mapping for V4 sockets */ + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); return sizeof(struct sockaddr_in); }