LKML Archive on lore.kernel.org
 help / color / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com,
	Xin Long <lucien.xin@gmail.com>,
	Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 15/47] sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event
Date: Fri, 11 Jan 2019 15:08:00 +0100
Message-ID: <20190111130957.923531077@linuxfoundation.org> (raw)
In-Reply-To: <20190111130956.170952125@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ]

syzbot reported a kernel-infoleak, which is caused by an uninitialized
field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event().
The call trace is as below:

  BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
  CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
  Google 01/01/2011
  Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x32d/0x480 lib/dump_stack.c:113
    kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
    kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
    kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
    _copy_to_user+0x19a/0x230 lib/usercopy.c:33
    copy_to_user include/linux/uaccess.h:183 [inline]
    sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
    sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
    sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
    __sys_getsockopt+0x489/0x550 net/socket.c:1939
    __do_sys_getsockopt net/socket.c:1950 [inline]
    __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
    __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
    do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
    entry_SYSCALL_64_after_hwframe+0x63/0xe7

sin6_flowinfo is not really used by SCTP, so it will be fixed by simply
setting it to 0.

The issue exists since very beginning.
Thanks Alexander for the reproducer provided.

Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/ipv6.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct n
 		if (addr) {
 			addr->a.v6.sin6_family = AF_INET6;
 			addr->a.v6.sin6_port = 0;
+			addr->a.v6.sin6_flowinfo = 0;
 			addr->a.v6.sin6_addr = ifa->addr;
 			addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
 			addr->valid = 1;



  parent reply index

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-11 14:07 [PATCH 3.18 00/47] 3.18.132-stable review Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 01/47] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 02/47] USB: serial: option: add HP lt4132 Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 03/47] mmc: core: Reset HPI enabled state during re-init and in case of errors Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 04/47] mmc: omap_hsmmc: fix DMA API warning Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 05/47] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 06/47] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 07/47] x86/mtrr: Dont copy uninitialized gentry fields back to userspace Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 08/47] ax25: fix a use-after-free in ax25_fillin_cb() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 09/47] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 10/47] ipv6: explicitly initialize udp6_addr in udp_sock_create6() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 11/47] isdn: fix kernel-infoleak in capi_unlocked_ioctl Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 12/47] netrom: fix locking in nr_find_socket() Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 13/47] packet: validate address length Greg Kroah-Hartman
2019-01-11 14:07 ` [PATCH 3.18 14/47] packet: validate address length if non-zero Greg Kroah-Hartman
2019-01-11 14:08 ` Greg Kroah-Hartman [this message]
2019-01-11 14:08 ` [PATCH 3.18 16/47] vhost: make sure used idx is seen before log in vhost_add_used_n() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 17/47] VSOCK: Send reset control packet when socket is partially bound Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 18/47] xen/netfront: tolerate frags with no data Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 19/47] sock: Make sock->sk_stamp thread-safe Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 20/47] USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 21/47] usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 22/47] KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 23/47] ext4: fix possible use after free in ext4_quota_enable Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 24/47] ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 25/47] ext4: force inode writes when nfsd calls commit_metadata() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 26/47] cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 27/47] media: vivid: free bitmap_cap when updating std/timings/etc Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 28/47] MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 29/47] MIPS: Align kernel load address to 64KB Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 30/47] CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 31/47] scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 32/47] fork: record start_time late Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 33/47] sunrpc: fix cache_head leak due to queued request Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 34/47] sunrpc: use SVC_NET() in svcauth_gss_* functions Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 35/47] ALSA: cs46xx: Potential NULL dereference in probe Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 36/47] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 37/47] ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 38/47] dlm: fixed memory leaks after failed ls_remove_names allocation Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 39/47] dlm: possible memory leak on error path in create_lkb() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 40/47] dlm: lost put_lkb on error path in receive_convert() and receive_unlock() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 41/47] dlm: memory leaks on error path in dlm_user_request() Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 42/47] gfs2: Fix loop in gfs2_rbm_find Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 43/47] b43: Fix error in cordic routine Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 44/47] 9p/net: put a lower bound on msize Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 45/47] ceph: dont update importing caps mseq when handing cap export Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 46/47] genwqe: Fix size check Greg Kroah-Hartman
2019-01-11 14:08 ` [PATCH 3.18 47/47] power: supply: olpc_battery: correct the temperature units Greg Kroah-Hartman
2019-01-11 21:50 ` [PATCH 3.18 00/47] 3.18.132-stable review shuah
2019-01-12 14:58 ` Harsh Shandilya
2019-01-12 17:42 ` Guenter Roeck
2019-01-13  7:44   ` Greg Kroah-Hartman

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190111130957.923531077@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lucien.xin@gmail.com \
    --cc=marcelo.leitner@gmail.com \
    --cc=nhorman@tuxdriver.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox