Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp834969yba; Wed, 24 Apr 2019 10:21:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqwTkyaJ4eOHBUGRW/UGGZhwpFbTUrII1Gp4i2bDNzBVC7QAHypg+CUmwWiWquJl2ufT4pXv X-Received: by 2002:a62:1249:: with SMTP id a70mr34836021pfj.160.1556126471465; Wed, 24 Apr 2019 10:21:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556126471; cv=none; d=google.com; s=arc-20160816; b=Z2u2T+yVIZeUGtPzEsmkbf3NNlusgiwx+fSI1NngOlUJ68o1RiZ2HBP77Ikfv9XOZF fsuwbl3YJ8aDXM2ChCDnBr/RJx3/f8gZvexZioDbC/6hVYD2j7V/NIs0QUQI8t4QkNON mevDHn282O+O5FCbh6OOqMb8Wj1+/UZsQZ4/U7d1teumG9ucpg+ZfCExeCdlnZO+MDQc OedGFso1pilVTUTEsOHakZQVrIhTpEsMHlLAlkhvxTXHWZ+M0WKJPJQSCGP37ajuaEeT 41JEMs6N3qkmeaQSa2kFuV0lgyEuY9P7MEullQCIheRCuSRINVDJYB+8S8kMTlQ5WVjO Om5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7gx7BSjlg7awIz+DyrMrQxtrUPmtyd7yuqxXxcEZCbM=; b=VIVnzxcubHNRcNYYO8kpIoTsQHmUc8g+O+cklEnfK/FaHTR5sZgovYYdrxpsGJE+kj 4O1xfUNJY+0K/Um1+0AO/H8K7pGZKwsweAHq0KEU+ecnEq0YvlAqkzF16vX5/XamOYWr +6fxkORBTYcG9/JwJarEtBEch4LjApTbGlsgsHxr0gT98vc39m+MxBgaJzaJJjZiqZFt FkMEACavGCwt8bSZGVEvUuoQOFBjCHa4JrkMXUwePAVqfeuzNc7ruPFKKD+PWJgah9gw v/yQ6imk+7oSJP32Mxy97TOcMLGo4Ty09ROgrFwb38JS3Fp3h1Q9IKpJV8kLxU2xS3+g MFiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pTGUubLT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k12si18830929plt.28.2019.04.24.10.20.56; Wed, 24 Apr 2019 10:21:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pTGUubLT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388969AbfDXRTR (ORCPT + 99 others); Wed, 24 Apr 2019 13:19:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:44382 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388945AbfDXRTO (ORCPT ); Wed, 24 Apr 2019 13:19:14 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E6B5321908; Wed, 24 Apr 2019 17:19:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556126353; bh=evnLSChIstEjmXuYnv/uCVyHAD2LOd9UMq5k+PhQU/w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pTGUubLToknx2fWXiwQ4Ta/2LXFrQAl9UYs+HKc9BX6MEj8zin3kDi2RMsCfkklLR 7BT+Isc6QOdY400hqK/1xwESqbMYqrSrzaYRPyB+3g9hFUqqQZu8ahAc0fRZp8Edfl 8ynlh5TRy6HZZD1PxQ2JcC0Hd5Q72lV5BEckguL8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com, Xin Long , Alexander Potapenko , Neil Horman , "David S. Miller" Subject: [PATCH 4.4 082/168] sctp: initialize _pad of sockaddr_in before copying to user memory Date: Wed, 24 Apr 2019 19:08:46 +0200 Message-Id: <20190424170928.695052288@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170923.452349382@linuxfoundation.org> References: <20190424170923.452349382@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 09279e615c81ce55e04835970601ae286e3facbe ] Syzbot report a kernel-infoleak: BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 Call Trace: _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 copy_to_user include/linux/uaccess.h:174 [inline] sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline] sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562 ... Uninit was stored to memory at: sctp_transport_init net/sctp/transport.c:61 [inline] sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115 sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637 sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline] sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361 ... Bytes 8-15 of 16 are uninitialized It was caused by that th _pad field (the 8-15 bytes) of a v4 addr (saved in struct sockaddr_in) wasn't initialized, but directly copied to user memory in sctp_getsockopt_peer_addrs(). So fix it by calling memset(addr->v4.sin_zero, 0, 8) to initialize _pad of sockaddr_in before copying it to user memory in sctp_v4_addr_to_user(), as sctp_v6_addr_to_user() does. Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com Signed-off-by: Xin Long Tested-by: Alexander Potapenko Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/protocol.c | 1 + 1 file changed, 1 insertion(+) --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c @@ -598,6 +598,7 @@ out: static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr) { /* No address mapping for V4 sockets */ + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); return sizeof(struct sockaddr_in); }