)]}'
{
  "commit": "7f2fcff15e99bb852f6967396ed12b38376e2c8d",
  "tree": "9e55df43af361295d6b49d09c03eed3bba79fab5",
  "parents": [
    "34080db3e70ddf94c38512ad2331e3c3afca6cc1"
  ],
  "author": {
    "name": "Xiang Mei",
    "email": "xmei5@asu.edu",
    "time": "Sat Jun 06 22:44:28 2026 -0700"
  },
  "committer": {
    "name": "Jakub Kicinski",
    "email": "kuba@kernel.org",
    "time": "Tue Jun 09 18:33:18 2026 -0700"
  },
  "message": "tun: zero the whole vnet header in tun_put_user()\n\ntun_put_user() declares an on-stack struct virtio_net_hdr_v1_hash_tunnel\nwithout zeroing it. For a non-tunnel skb, virtio_net_hdr_tnl_from_skb()\nonly initializes the first 10 bytes (sizeof(struct virtio_net_hdr)),\nleaving bytes 10..23 (num_buffers and the hash/tunnel fields) as stack\ngarbage.\n\nAn unprivileged user can set the vnet header size to 24 with\nTUNSETVNETHDRSZ, so __tun_vnet_hdr_put() copies all 24 bytes of the\npartially-initialized struct to userspace, leaking 14 bytes of kernel\nstack on every read of a non-tunnel packet.\n\nFix it the same way tun_get_user() already does by zeroing the whole\nheader right after declaration.\n\nFixes: 288f30435132 (\"tun: enable gso over UDP tunnel support.\")\nReported-by: Weiming Shi \u003cbestswngs@gmail.com\u003e\nSigned-off-by: Xiang Mei \u003cxmei5@asu.edu\u003e\nReviewed-by: Willem de Bruijn \u003cwillemb@google.com\u003e\nLink: https://patch.msgid.link/20260607054428.3050243-1-xmei5@asu.edu\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "9e7744eb57a32523406498f4d81c0286617b1695",
      "old_mode": 33188,
      "old_path": "drivers/net/tun.c",
      "new_id": "fed9dfdfcc3bc093970db57392ead13a5bc3fb69",
      "new_mode": 33188,
      "new_path": "drivers/net/tun.c"
    }
  ]
}