queue-6.19/xfrm_user-fix-info-leak-in-build_report.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Date: Mon, 6 Apr 2026 17:34:22 +0200
 Subject: xfrm_user: fix info leak in build_report()

 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 commit d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 upstream.

 struct xfrm_user_report is a __u8 proto field followed by a struct
 xfrm_selector which means there is three "empty" bytes of padding, but
 the padding is never zeroed before copying to userspace.  Fix that up by
 zeroing the structure before setting individual member variables.

 Cc: stable <stable@kernel.org>
 Cc: Steffen Klassert <steffen.klassert@secunet.com>
 Cc: Herbert Xu <herbert@gondor.apana.org.au>
 Cc: "David S. Miller" <davem@davemloft.net>
 Cc: Eric Dumazet <edumazet@google.com>
 Cc: Jakub Kicinski <kuba@kernel.org>
 Cc: Paolo Abeni <pabeni@redhat.com>
 Cc: Simon Horman <horms@kernel.org>
 Assisted-by: gregkh_clanker_t1000
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/xfrm/xfrm_user.c |    1 +
  1 file changed, 1 insertion(+)

 --- a/net/xfrm/xfrm_user.c
 +++ b/net/xfrm/xfrm_user.c
 @@ -4108,6 +4108,7 @@ static int build_report(struct sk_buff *
  		return -EMSGSIZE;

  	ur = nlmsg_data(nlh);
 +	memset(ur, 0, sizeof(*ur));
  	ur->proto = proto;
  	memcpy(&ur->sel, sel, sizeof(ur->sel));
	From d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Date: Mon, 6 Apr 2026 17:34:22 +0200
	Subject: xfrm_user: fix info leak in build_report()

	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	commit d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 upstream.

	struct xfrm_user_report is a __u8 proto field followed by a struct
	xfrm_selector which means there is three "empty" bytes of padding, but
	the padding is never zeroed before copying to userspace. Fix that up by
	zeroing the structure before setting individual member variables.

	Cc: stable <stable@kernel.org>
	Cc: Steffen Klassert <steffen.klassert@secunet.com>
	Cc: Herbert Xu <herbert@gondor.apana.org.au>
	Cc: "David S. Miller" <davem@davemloft.net>
	Cc: Eric Dumazet <edumazet@google.com>
	Cc: Jakub Kicinski <kuba@kernel.org>
	Cc: Paolo Abeni <pabeni@redhat.com>
	Cc: Simon Horman <horms@kernel.org>
	Assisted-by: gregkh_clanker_t1000
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/xfrm/xfrm_user.c \| 1 +
	1 file changed, 1 insertion(+)

	--- a/net/xfrm/xfrm_user.c
	+++ b/net/xfrm/xfrm_user.c
	@@ -4108,6 +4108,7 @@ static int build_report(struct sk_buff *
	return -EMSGSIZE;

	ur = nlmsg_data(nlh);
	+ memset(ur, 0, sizeof(*ur));
	ur->proto = proto;
	memcpy(&ur->sel, sel, sizeof(ur->sel));