Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1357313pxk; Sat, 12 Sep 2020 22:58:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwqN/rDik93bGJUNjslDf3SDTGLPcYKmFT/pIptFtoCZh0Ro1tMkM7+KyHFMKxwnOAUZkmr X-Received: by 2002:a17:907:7206:: with SMTP id dr6mr9357659ejc.546.1599976681784; Sat, 12 Sep 2020 22:58:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599976681; cv=none; d=google.com; s=arc-20160816; b=TzTdmWF30UiKHNfdQIVAWI1uyH8R0tyRNbL38tqvI0wqS4dSKPnBidPnAxah3BPZwk ChurNU/jf1KSZMjJ8Z9HbDC+Ebc+nzvS/SdGl9+GGYDTActxHdVnOv9rJ/djANjBmNTC jZ+Ni9r0TBw2e9NYc988gQkI91HBNuv8fCP5AfIwt6gl+Xkx7znyGQwu+lglV4vuNPjY eYKy/nETOpvA9dcZ6fL3PSAs8csDPyONUPmu+B7JeXBOfv2GQs7LRcy6UjbrddpK+HO/ CSH0yb1cdox+grhIBgaevSO+zvez+55ELGwzEQmJxKALo80NG7+cRtnSl9cUz0xt3ENz TRXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:content-transfer-encoding:mime-version :message-id:date:subject:cc:from:dkim-signature; bh=L2601ptSXb6354ZGKXlq6HrTN3axEbz58J2HKuGGYWU=; b=bASj0rTwL84D3MDfdUZOchsqFkTICJTmYKURggSzS6yANug8G3VTec2XtwlLDNYNq2 lm9Af9P5EUbJtyJspUY0jB2V6RMzwsgveCkOJW+whUYwUTcf+PKjXDwQxmRgfgipP7Ij hNK1UVdoXe2Die33Zhk8RRQr9FOGAhhAi5CRgZWw5NFdWuZ/2iliyFAZ3aSnDdRE9JGW Szp/23qIrhgm3D1QAEaD2bdC7gjZb4xPHQJVVI6/IeD+szIAAeTqZlWrbbmx9hIZtfb8 ZV3VOQL8vvFxu2ffIa+5Z2n3SJt+1tyQ2REnJWBGXLoSwRkb34AOgYxUntYurNoaz1M5 /gzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=FyayF2U2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c10si4796949edw.68.2020.09.12.22.57.38; Sat, 12 Sep 2020 22:58:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=FyayF2U2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725913AbgIMF5G (ORCPT + 99 others); Sun, 13 Sep 2020 01:57:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49470 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725883AbgIMF5E (ORCPT ); Sun, 13 Sep 2020 01:57:04 -0400 Received: from mail-pg1-x544.google.com (mail-pg1-x544.google.com [IPv6:2607:f8b0:4864:20::544]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0806BC061573; Sat, 12 Sep 2020 22:57:03 -0700 (PDT) Received: by mail-pg1-x544.google.com with SMTP id g29so9112667pgl.2; Sat, 12 Sep 2020 22:57:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=L2601ptSXb6354ZGKXlq6HrTN3axEbz58J2HKuGGYWU=; b=FyayF2U2stxus5nipHGS9LqyIsgvxkZaCmO1YlyP+DMbSM9PkigzoMoAlBfUDlmEVe tWv0Bp8ZUA/KbaOMqZ0AeJY+VU9+iSmKbSd5WRrXXVIldnvYE8B4efGwdzV+ONlYTjj0 kaGiQuey9eFdf/YxL47QFJpHwdfAEfGUfXn3VAfihSGiq+QQ+D4PHBb9l445MlnN48hQ zG9GxaL4wcQ97i8PnmU7HD5hU6uVFalP41lQ+I5mQIjjk9sZLROUBlu1rQMkDNnw6GYP FRbgOk7oO19H8Xbc1juAf1yKbcQyeZ1CYf8lG5+zULK5idwK12X/5PSQOlXpZKSIgofg /16g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=L2601ptSXb6354ZGKXlq6HrTN3axEbz58J2HKuGGYWU=; b=HjkzvJw0YlQlNIw2n7qBObWqrjMYxmkXAOPiU4ioFiEEsIfJAr/GEKk4iIAIBv17ef g0yHGUEyqfVUmuinsExMrJgaQydaex8TQX2UsjAnH4DQFXqpAeIPbXL8kGDmldYah7Et fcX9+RhyaB8VVjZQqH+JVHYVCHUHVxp7TYH5AFKKdnViKWnLBvM6FhwNn4XNKhoZF1Dv qzYqjODYX/UV+T/oH+5BFiguhcw7SY9V8a8mswUGfmD7ti0oAkggLLSQh4E7CiH/DdQI R4O6P5HWpLzCm+hjb2QtedkbeywhAgGF1Fq1vwBhHZoA/IYTRqKHgCzGR3HOZJj/svMg PO7Q== X-Gm-Message-State: AOAM5320dD1P4YPECZYkEbTKR2tZvAH6PiszQ1RTlu58fDNg5KiqcFi6 jBNccgbtt9Z1h94/QSierOKgowkTUb7sxh2mRl4= X-Received: by 2002:a63:2209:: with SMTP id i9mr2077924pgi.130.1599976623233; Sat, 12 Sep 2020 22:57:03 -0700 (PDT) Received: from localhost.localdomain ([49.207.209.61]) by smtp.gmail.com with ESMTPSA id o20sm5722171pgh.63.2020.09.12.22.56.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 12 Sep 2020 22:57:02 -0700 (PDT) From: Anant Thazhemadam Cc: linux-kernel-mentees@lists.linuxfoundation.org, Anant Thazhemadam , syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com, "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] net: fix uninit value error in __sys_sendmmsg Date: Sun, 13 Sep 2020 11:26:39 +0530 Message-Id: <20200913055639.15639-1-anant.thazhemadam@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The crash report showed that there was a local variable; ----iovstack.i@__sys_sendmmsg created at: ___sys_sendmsg net/socket.c:2388 [inline] __sys_sendmmsg+0x6db/0xc90 net/socket.c:2480 that was left uninitialized. The contents of iovstack are of interest, since the respective pointer is passed down as an argument to sendmsg_copy_msghdr as well. Initializing this contents of this stack prevents this bug from happening. Since the memory that was initialized is freed at the end of the function call, memory leaks are not likely to be an issue. syzbot seems to have triggered this error by passing an array of 0's as a parameter while making the initial system call. Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com Tested-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam --- net/socket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/socket.c b/net/socket.c index 0c0144604f81..d74443dfd73b 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2396,6 +2396,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg, { struct sockaddr_storage address; struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; + memset(iov, 0, UIO_FASTIOV); ssize_t err; msg_sys->msg_name = &address; -- 2.25.1