Received: by 2002:a17:90a:9103:0:0:0:0 with SMTP id k3csp11816002pjo; Thu, 2 Jan 2020 14:47:05 -0800 (PST) X-Google-Smtp-Source: APXvYqwEjWNlI4kwqn4Q4tz7BuQhZrgeFmEV+OyMuRJBaCtqlgicc+ze5dfJQqkGAiGL4z0rbC49 X-Received: by 2002:a9d:74c4:: with SMTP id a4mr9330400otl.119.1578005225408; Thu, 02 Jan 2020 14:47:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578005225; cv=none; d=google.com; s=arc-20160816; b=gK4apdIF+0N7HhovCsQ1iRZOOw8G3oF8hKwMrgDR/draudb3LxV6QXm1aSbdQq+vhS 62BKj22OPAJ3LxVgxHqvqlk2dwvTIAlmQgcRARtNDf8tRNOM6QRMI2etLl6uKGwAcYdU lOwy48UsUcQpJ6CozGXXAoKVihXRs02RJZVKtWgHuZiPlCNGJmPvWoDKjh9yx/P9UioP JazQ5DcsWSqJfXLfJjf74dKi6BMw1o9/eza/GquHGusCY8CcHony+hVcfvhOaIwbfFCd UhVxevcScl7YVezfNRxR1nAmtIBIc/F/AZE8R6i2ETFTw9Mps8rBIjT6d3r1+x5oc30M Ea6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jvBptM6aRoYe3U543ILoxomGLNOJOSr18ifgjTLS4js=; b=NgGE3q0OMOkKWLpgqeRraUI7DprIyThPDgaQ5PzEJzU8hkWrUgtWdxdm5+MQoi1t2b BUAgge+a9NSYvyvk+PSOoCkdTJXSmrzdUOcCnebPmj+KrTwvTWR5LMPm1zpLRs4gSTk1 es1xzFzlY7hN9tKmlgwwFzeF1BrjttdirkfZS/hpsbRAQskbVx7/bh3CUEMQy97dSi7L NgyA1Qloddq38kvTrXSP+7p+kFQq1XN/AjPTalXcBRDtLXeOJdWRqbugAMROR72TIMYE zhUAZwC/Ej/Xgopq05VRqX4LfSYn7AFVfn0eXcBVeWCsvpbPe9ZbvxLF/uJL2X/F6z00 3uDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HSd66pkk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w18si31939661otl.54.2020.01.02.14.46.53; Thu, 02 Jan 2020 14:47:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HSd66pkk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728304AbgABWph (ORCPT + 99 others); Thu, 2 Jan 2020 17:45:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:37468 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730333AbgABWbw (ORCPT ); Thu, 2 Jan 2020 17:31:52 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B7F3E21D7D; Thu, 2 Jan 2020 22:31:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578004311; bh=Ra7SkgAlmbNH8pb22TGnp/DTOVE9GOkD+9r7D2iJyhc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HSd66pkkW4hh+c4X3RjCFSqrJUGZHf2HSJSUdvrBFTgbXs53r3bVnjHA8MpY4FDwI kjv8+PQzyCk2aAho5BX7wtJCtLBwepp+Q8b63dP0FzCBGF+5VDHlDTCO+EYakqa9cF zOkp6v4VlPtKRF/cnZK7KIeRVSvZicoVbsRt71t0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com, Xin Long , Neil Horman , "David S. Miller" Subject: [PATCH 4.9 100/171] sctp: fully initialize v4 addr in some functions Date: Thu, 2 Jan 2020 23:07:11 +0100 Message-Id: <20200102220601.061751680@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200102220546.960200039@linuxfoundation.org> References: <20200102220546.960200039@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit b6f3320b1d5267e7b583a6d0c88dda518101740c ] Syzbot found a crash: BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline] BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline] BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 Call Trace: crc32_body lib/crc32.c:112 [inline] crc32_le_generic lib/crc32.c:179 [inline] __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202 chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90 crypto_shash_update+0x4c5/0x530 crypto/shash.c:107 crc32c+0x150/0x220 lib/libcrc32c.c:47 sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36 __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640 sctp_compute_cksum include/net/sctp/checksum.h:59 [inline] sctp_packet_pack net/sctp/output.c:528 [inline] sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597 sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline] sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194 sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline] sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155 sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185 sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433 sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline] sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672 The issue was caused by transport->ipaddr set with uninit addr param, which was passed by: sctp_transport_init net/sctp/transport.c:47 [inline] sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100 sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611 sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline] where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize the padding of addr->v4. Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr) will become the part of skb, and the issue occurs. This patch is to fix it by initializing the padding of addr->v4 in sctp_v4_from_addr_param(), as well as other functions that do the similar thing, and these functions shouldn't trust that the caller initializes the memory, as Marcelo suggested. Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/protocol.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c @@ -257,6 +257,7 @@ static void sctp_v4_from_sk(union sctp_a addr->v4.sin_family = AF_INET; addr->v4.sin_port = 0; addr->v4.sin_addr.s_addr = inet_sk(sk)->inet_rcv_saddr; + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); } /* Initialize sk->sk_rcv_saddr from sctp_addr. */ @@ -279,6 +280,7 @@ static void sctp_v4_from_addr_param(unio addr->v4.sin_family = AF_INET; addr->v4.sin_port = port; addr->v4.sin_addr.s_addr = param->v4.addr.s_addr; + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); } /* Initialize an address parameter from a sctp_addr and return the length @@ -303,6 +305,7 @@ static void sctp_v4_dst_saddr(union sctp saddr->v4.sin_family = AF_INET; saddr->v4.sin_port = port; saddr->v4.sin_addr.s_addr = fl4->saddr; + memset(saddr->v4.sin_zero, 0, sizeof(saddr->v4.sin_zero)); } /* Compare two addresses exactly. */ @@ -325,6 +328,7 @@ static void sctp_v4_inaddr_any(union sct addr->v4.sin_family = AF_INET; addr->v4.sin_addr.s_addr = htonl(INADDR_ANY); addr->v4.sin_port = port; + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); } /* Is this a wildcard address? */