From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Alexander Potapenko <glider@google.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 41/53] tipc: fix an information leak in tipc_topsrv_kern_subscr
Date: Thu, 27 Oct 2022 18:56:29 +0200 [thread overview]
Message-ID: <20221027165051.385954935@linuxfoundation.org> (raw)
In-Reply-To: <20221027165049.817124510@linuxfoundation.org>
From: Alexander Potapenko <glider@google.com>
[ Upstream commit 777ecaabd614d47c482a5c9031579e66da13989a ]
Use a 8-byte write to initialize sub.usr_handle in
tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized
when issuing setsockopt(..., SOL_TIPC, ...).
This resulted in an infoleak reported by KMSAN when the packet was
received:
=====================================================
BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169
instrument_copy_to_user ./include/linux/instrumented.h:121
copyout+0xbc/0x100 lib/iov_iter.c:169
_copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527
copy_to_iter ./include/linux/uio.h:176
simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527
skb_copy_datagram_msg ./include/linux/skbuff.h:3903
packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469
____sys_recvmsg+0x2c4/0x810 net/socket.c:?
___sys_recvmsg+0x217/0x840 net/socket.c:2743
__sys_recvmsg net/socket.c:2773
__do_sys_recvmsg net/socket.c:2783
__se_sys_recvmsg net/socket.c:2780
__x64_sys_recvmsg+0x364/0x540 net/socket.c:2780
do_syscall_x64 arch/x86/entry/common.c:50
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
...
Uninit was stored to memory at:
tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156
tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375
tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579
tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084
tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201
__sys_setsockopt+0x87f/0xdc0 net/socket.c:2252
__do_sys_setsockopt net/socket.c:2263
__se_sys_setsockopt net/socket.c:2260
__x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:50
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
Local variable sub created at:
tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562
tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
Bytes 84-87 of 88 are uninitialized
Memory access of size 88 starts at ffff88801ed57cd0
Data copied to user address 0000000020000400
...
=====================================================
Signed-off-by: Alexander Potapenko <glider@google.com>
Fixes: 026321c6d056a5 ("tipc: rename tipc_server to tipc_topsrv")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/topsrv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index 444e1792d02c..b8797ff153e6 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -568,7 +568,7 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower,
sub.seq.upper = upper;
sub.timeout = TIPC_WAIT_FOREVER;
sub.filter = filter;
- *(u32 *)&sub.usr_handle = port;
+ *(u64 *)&sub.usr_handle = (u64)port;
con = tipc_conn_alloc(tipc_topsrv(net));
if (IS_ERR(con))
--
2.35.1
next prev parent reply other threads:[~2022-10-27 17:09 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-27 16:55 [PATCH 5.4 00/53] 5.4.221-rc1 review Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 01/53] xfs: open code insert range extent split helper Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 02/53] xfs: rework insert range into an atomic operation Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 03/53] xfs: rework collapse " Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 04/53] xfs: add a function to deal with corrupt buffers post-verifiers Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 05/53] xfs: xfs_buf_corruption_error should take __this_address Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 06/53] xfs: fix buffer corruption reporting when xfs_dir3_free_header_check fails Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 07/53] xfs: check owner of dir3 data blocks Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 08/53] xfs: check owner of dir3 blocks Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 09/53] xfs: Use scnprintf() for avoiding potential buffer overflow Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 10/53] xfs: remove the xfs_disk_dquot_t and xfs_dquot_t Greg Kroah-Hartman
2022-10-27 16:55 ` [PATCH 5.4 11/53] xfs: remove the xfs_dq_logitem_t typedef Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 12/53] xfs: remove the xfs_qoff_logitem_t typedef Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 13/53] xfs: Replace function declaration by actual definition Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 14/53] xfs: factor out quotaoff intent AIL removal and memory free Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 15/53] xfs: fix unmount hang and memory leak on shutdown during quotaoff Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 16/53] xfs: preserve default grace interval during quotacheck Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 17/53] xfs: Lower CIL flush limit for large logs Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 18/53] xfs: Throttle commits on delayed background CIL push Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 19/53] xfs: factor common AIL item deletion code Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 20/53] xfs: tail updates only need to occur when LSN changes Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 21/53] xfs: dont write a corrupt unmount record to force summary counter recalc Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 22/53] xfs: trylock underlying buffer on dquot flush Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 23/53] xfs: factor out a new xfs_log_force_inode helper Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 24/53] xfs: reflink should force the log out if mounted with wsync Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 25/53] xfs: move inode flush to the sync workqueue Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 26/53] xfs: fix use-after-free on CIL context on shutdown Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 27/53] ocfs2: clear dinode links count in case of error Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 28/53] ocfs2: fix BUG when iput after ocfs2_mknod fails Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 29/53] x86/microcode/AMD: Apply the patch early on every logical thread Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 30/53] hwmon/coretemp: Handle large core ID value Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 31/53] ata: ahci-imx: Fix MODULE_ALIAS Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 32/53] ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 33/53] KVM: arm64: vgic: Fix exit condition in scan_its_table() Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 34/53] media: venus: dec: Handle the case where find_format fails Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 35/53] arm64: errata: Remove AES hwcap for COMPAT tasks Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 36/53] r8152: add PID for the Lenovo OneLink+ Dock Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 37/53] btrfs: fix processing of delayed data refs during backref walking Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 38/53] btrfs: fix processing of delayed tree block " Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 39/53] ACPI: extlog: Handle multiple records Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 40/53] tipc: Fix recognition of trial period Greg Kroah-Hartman
2022-10-27 16:56 ` Greg Kroah-Hartman [this message]
2022-10-27 16:56 ` [PATCH 5.4 42/53] HID: magicmouse: Do not set BTN_MOUSE on double report Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 43/53] net/atm: fix proc_mpc_write incorrect return value Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 44/53] net: phy: dp83867: Extend RX strap quirk for SGMII mode Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 45/53] net: sched: cake: fix null pointer access issue when cake_init() fails Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 46/53] net: hns: fix possible memory leak in hnae_ae_register() Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 47/53] iommu/vt-d: Clean up si_domain in the init_dmars() error path Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 48/53] arm64: topology: move store_cpu_topology() to shared code Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 49/53] riscv: topology: fix default topology reporting Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 50/53] [PATCH v3] ACPI: video: Force backlight native for more TongFang devices Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 51/53] Makefile.debug: re-enable debug info for .S files Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 52/53] hv_netvsc: Fix race between VF offering and VF association message from host Greg Kroah-Hartman
2022-10-27 16:56 ` [PATCH 5.4 53/53] mm: /proc/pid/smaps_rollup: fix no vmas null-deref Greg Kroah-Hartman
2022-10-28 10:49 ` [PATCH 5.4 00/53] 5.4.221-rc1 review Sudip Mukherjee (Codethink)
2022-10-28 11:58 ` Jon Hunter
2022-10-28 14:01 ` Naresh Kamboju
2022-10-28 20:06 ` Florian Fainelli
2022-10-29 3:35 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221027165051.385954935@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=glider@google.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.