Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp486357ybb; Fri, 20 Mar 2020 02:48:48 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuyPDs1asWJ8fAhCeoLxA6nFgGkGzs08JliPEvCZf/rUmen/yjUCEKwJcTbJJQ3YShT1kL0 X-Received: by 2002:a05:6830:14cc:: with SMTP id t12mr5772161otq.118.1584697728467; Fri, 20 Mar 2020 02:48:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584697728; cv=none; d=google.com; s=arc-20160816; b=HsUXiMpfdqHv42bfF91R1v9tj1BVyP6pmUFSJqhvaj/gwN3TASJV6gHTrjBAM+JHVn po9DWsKoRKyMjUOThpzehEgL6taz0FSIYRQ1MQITkpNK+9RKBWrzijTyZBl7kGdwwgE+ 6CY20PcoZf9bBHvMQF1tKrjKEyuXFE7WyCde6T01VLm6Z8WZhGViG+upsTTylImLGsZA iFu0kI8b0NrVbMsRYGFBJPmy5WsrNZ7hYLRRzvpWQ9BwR85VfxF1GTN/EijL+MB9EqMr yzdazbrCk6A6Tg7RC4wDG9zCsPIhgNI1G+cg+mYw1Qg9RSEUIJQtwGLBiepMbccUOTxS 5/vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-disposition:mime-version:message-id:subject:cc:to:from:date :dkim-signature; bh=90cXvp/2+zfzZXDL2hYbylCccZR+pYUcVcvLxR5jhpI=; b=KWE/TXvrpt03Vo7Pf4UqGQS5RLm6+ZR+wB+/BBoQI+IfiHJa4k6lU26rmEB5tLJm7T 4aLebcJqfa/G98WSaesHEjN+itnDgwqVNfhhjojKXl8yZfCZU6D1c85sOfds1f3YrW8l Y/ugzMIh8+jc+zuz7gpjaLg5JLgJ/NpGKD0x4H71/zCNcFCgew1EvMqI0oOCi8ZGIk9T hM7ns2tLLMpPGoM9GmG6tvPXq2ro3Vc1F5jfzcZ8aJ1vLa6vRvH/jqwYSy2sqHfC7Zyt JNyYdJ61spQCZV4+2cNpD7Mrmx1Dy3aSZ4T8XOa5drFnvPPte44p9tNVkli28KgRpBg5 mq6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UooNi+yt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k193si2496443oih.78.2020.03.20.02.48.35; Fri, 20 Mar 2020 02:48:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UooNi+yt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727015AbgCTJsR (ORCPT + 99 others); Fri, 20 Mar 2020 05:48:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:52958 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726527AbgCTJsR (ORCPT ); Fri, 20 Mar 2020 05:48:17 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3552120722; Fri, 20 Mar 2020 09:48:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1584697696; bh=CfioL5SgWVxnMWSZEYwxxiCuwgFHpHsY1vWlT//2mOg=; h=Date:From:To:Cc:Subject:From; b=UooNi+ytRvi/e+67VIo7Tl5Xwm1Su706JYHFNuSsA/I6bYceFPxJ3ngvGOu/t2KdB pWNEXe36lZwD0sereY3Hwq3aONMdiovgegCvF1oy8CTO6LvIk51arxlAC4HQkm/chT ni9qcc87pdpOgBNabveKUGSodr5q4K/nKgHVjaJY= Date: Fri, 20 Mar 2020 10:48:13 +0100 From: Greg Kroah-Hartman To: Alexei Starovoitov , Daniel Borkmann Cc: Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, Maciej =?utf-8?Q?=C5=BBenczykowski?= , John Stultz , Alexander Potapenko , Alistair Delva Subject: [PATCH] bpf: explicitly memset the bpf_attr structure Message-ID: <20200320094813.GA421650@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org For the bpf syscall, we are relying on the compiler to properly zero out the bpf_attr union that we copy userspace data into. Unfortunately that doesn't always work properly, padding and other oddities might not be correctly zeroed, and in some tests odd things have been found when the stack is pre-initialized to other values. Fix this by explicitly memsetting the structure to 0 before using it. Reported-by: Maciej Żenczykowski Reported-by: John Stultz Reported-by: Alexander Potapenko Reported-by: Alistair Delva Cc: stable Link: https://android-review.googlesource.com/c/kernel/common/+/1235490 Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/syscall.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index a91ad518c050..a4b1de8ea409 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -3354,7 +3354,7 @@ static int bpf_map_do_batch(const union bpf_attr *attr, SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size) { - union bpf_attr attr = {}; + union bpf_attr attr; int err; if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) @@ -3366,6 +3366,7 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz size = min_t(u32, size, sizeof(attr)); /* copy attributes from user space, may be less than sizeof(bpf_attr) */ + memset(&attr, 0, sizeof(attr)); if (copy_from_user(&attr, uattr, size) != 0) return -EFAULT; base-commit: 6c90b86a745a446717fdf408c4a8a4631a5e8ee3 -- 2.25.2