| From foo@baz Fri Jan 4 20:27:35 CET 2019 |
| From: Xin Long <lucien.xin@gmail.com> |
| Date: Mon, 10 Dec 2018 18:00:52 +0800 |
| Subject: sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event |
| |
| From: Xin Long <lucien.xin@gmail.com> |
| |
| [ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ] |
| |
| syzbot reported a kernel-infoleak, which is caused by an uninitialized |
| field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event(). |
| The call trace is as below: |
| |
| BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33 |
| CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS |
| Google 01/01/2011 |
| Call Trace: |
| __dump_stack lib/dump_stack.c:77 [inline] |
| dump_stack+0x32d/0x480 lib/dump_stack.c:113 |
| kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683 |
| kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743 |
| kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634 |
| _copy_to_user+0x19a/0x230 lib/usercopy.c:33 |
| copy_to_user include/linux/uaccess.h:183 [inline] |
| sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline] |
| sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477 |
| sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 |
| __sys_getsockopt+0x489/0x550 net/socket.c:1939 |
| __do_sys_getsockopt net/socket.c:1950 [inline] |
| __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 |
| __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 |
| do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 |
| entry_SYSCALL_64_after_hwframe+0x63/0xe7 |
| |
| sin6_flowinfo is not really used by SCTP, so it will be fixed by simply |
| setting it to 0. |
| |
| The issue exists since very beginning. |
| Thanks Alexander for the reproducer provided. |
| |
| Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com |
| Signed-off-by: Xin Long <lucien.xin@gmail.com> |
| Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| Acked-by: Neil Horman <nhorman@tuxdriver.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/sctp/ipv6.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/sctp/ipv6.c |
| +++ b/net/sctp/ipv6.c |
| @@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct n |
| if (addr) { |
| addr->a.v6.sin6_family = AF_INET6; |
| addr->a.v6.sin6_port = 0; |
| + addr->a.v6.sin6_flowinfo = 0; |
| addr->a.v6.sin6_addr = ifa->addr; |
| addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex; |
| addr->valid = 1; |