diff mbox series

[net] tipc: Fix kernel-infoleak due to uninitialized TLV value

Message ID 20231110163947.1605168-1-syoshida@redhat.com (mailing list archive)
State Accepted
Commit fb317eb23b5ee4c37b0656a9a52a3db58d9dd072
Delegated to: Netdev Maintainers
Headers show
Series [net] tipc: Fix kernel-infoleak due to uninitialized TLV value | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1134 this patch: 1134
netdev/cc_maintainers success CCed 7 of 9 maintainers
netdev/build_clang success Errors and warnings before: 1161 this patch: 1161
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1161 this patch: 1161
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Shigeru Yoshida Nov. 10, 2023, 4:39 p.m. UTC 
KMSAN reported the following kernel-infoleak issue:

=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
 instrument_copy_to_user include/linux/instrumented.h:114 [inline]
 copy_to_user_iter lib/iov_iter.c:24 [inline]
 iterate_ubuf include/linux/iov_iter.h:29 [inline]
 iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
 iterate_and_advance include/linux/iov_iter.h:271 [inline]
 _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
 copy_to_iter include/linux/uio.h:197 [inline]
 simple_copy_to_iter net/core/datagram.c:532 [inline]
 __skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
 skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
 netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
 sock_recvmsg_nosec net/socket.c:1044 [inline]
 sock_recvmsg net/socket.c:1066 [inline]
 __sys_recvfrom+0x476/0x860 net/socket.c:2246
 __do_sys_recvfrom net/socket.c:2264 [inline]
 __se_sys_recvfrom net/socket.c:2260 [inline]
 __x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
 slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
 slab_alloc_node mm/slub.c:3478 [inline]
 kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
 __alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
 alloc_skb include/linux/skbuff.h:1286 [inline]
 tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline]
 tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170
 tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324
 genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
 genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067
 netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545
 genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076
 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
 netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368
 netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 ____sys_sendmsg+0x997/0xd60 net/socket.c:2588
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2642
 __sys_sendmsg net/socket.c:2671 [inline]
 __do_sys_sendmsg net/socket.c:2680 [inline]
 __se_sys_sendmsg net/socket.c:2678 [inline]
 __x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Bytes 34-35 of 36 are uninitialized
Memory access of size 36 starts at ffff88802d464a00
Data copied to user address 00007ff55033c0a0

CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
=====================================================

tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is
calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and
the length of TLV value passed as an argument, and aligns the result to a
multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes.

If the size of struct tlv_desc plus the length of TLV value is not aligned,
the current implementation leaves the remaining bytes uninitialized. This
is the cause of the above kernel-infoleak issue.

This patch resolves this issue by clearing data up to an aligned size.

Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
---
 net/tipc/netlink_compat.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Simon Horman Nov. 12, 2023, 10:25 a.m. UTC | #1 
On Sat, Nov 11, 2023 at 01:39:47AM +0900, Shigeru Yoshida wrote:
> KMSAN reported the following kernel-infoleak issue:
> 
> =====================================================
> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
> BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
> BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
> BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
> BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
>  instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>  copy_to_user_iter lib/iov_iter.c:24 [inline]
>  iterate_ubuf include/linux/iov_iter.h:29 [inline]
>  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
>  iterate_and_advance include/linux/iov_iter.h:271 [inline]
>  _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
>  copy_to_iter include/linux/uio.h:197 [inline]
>  simple_copy_to_iter net/core/datagram.c:532 [inline]
>  __skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
>  skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
>  skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
>  netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
>  sock_recvmsg_nosec net/socket.c:1044 [inline]
>  sock_recvmsg net/socket.c:1066 [inline]
>  __sys_recvfrom+0x476/0x860 net/socket.c:2246
>  __do_sys_recvfrom net/socket.c:2264 [inline]
>  __se_sys_recvfrom net/socket.c:2260 [inline]
>  __x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> 
> Uninit was created at:
>  slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
>  slab_alloc_node mm/slub.c:3478 [inline]
>  kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
>  kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
>  __alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
>  alloc_skb include/linux/skbuff.h:1286 [inline]
>  tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline]
>  tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170
>  tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324
>  genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline]
>  genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
>  genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067
>  netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545
>  genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076
>  netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
>  netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368
>  netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910
>  sock_sendmsg_nosec net/socket.c:730 [inline]
>  __sock_sendmsg net/socket.c:745 [inline]
>  ____sys_sendmsg+0x997/0xd60 net/socket.c:2588
>  ___sys_sendmsg+0x271/0x3b0 net/socket.c:2642
>  __sys_sendmsg net/socket.c:2671 [inline]
>  __do_sys_sendmsg net/socket.c:2680 [inline]
>  __se_sys_sendmsg net/socket.c:2678 [inline]
>  __x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678
>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> 
> Bytes 34-35 of 36 are uninitialized
> Memory access of size 36 starts at ffff88802d464a00
> Data copied to user address 00007ff55033c0a0
> 
> CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
> =====================================================
> 
> tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is
> calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and
> the length of TLV value passed as an argument, and aligns the result to a
> multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes.
> 
> If the size of struct tlv_desc plus the length of TLV value is not aligned,
> the current implementation leaves the remaining bytes uninitialized. This
> is the cause of the above kernel-infoleak issue.
> 
> This patch resolves this issue by clearing data up to an aligned size.
> 
> Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>

Thanks Yoshida-san,

I agree with both your analysis and that the fix is correct.
I also agree that the problem was introduced by the cited commit.

I did wonder if there would be an advantage to only zeroing the
otherwise uninitialised portion of tlv, but I guess that the complexity
isn't worth any gain: all of TLV likely fits into a single cacheline
anyway.

Reviewed-by: Simon Horman <horms@kernel.org>

> ---
>  net/tipc/netlink_compat.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
> index 5bc076f2fa74..c763008a8adb 100644
> --- a/net/tipc/netlink_compat.c
> +++ b/net/tipc/netlink_compat.c
> @@ -102,6 +102,7 @@ static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
>  		return -EMSGSIZE;
>  
>  	skb_put(skb, TLV_SPACE(len));
> +	memset(tlv, 0, TLV_SPACE(len));
>  	tlv->tlv_type = htons(type);
>  	tlv->tlv_len = htons(TLV_LENGTH(len));
>  	if (len && data)
> -- 
> 2.41.0
> 
>
Shigeru Yoshida Nov. 13, 2023, 5:17 a.m. UTC | #2 
On Sun, 12 Nov 2023 10:25:13 +0000, Simon Horman wrote:
> On Sat, Nov 11, 2023 at 01:39:47AM +0900, Shigeru Yoshida wrote:
>> KMSAN reported the following kernel-infoleak issue:
>> 
>> =====================================================
>> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>> BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
>> BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
>> BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
>> BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
>> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
>>  instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>>  copy_to_user_iter lib/iov_iter.c:24 [inline]
>>  iterate_ubuf include/linux/iov_iter.h:29 [inline]
>>  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
>>  iterate_and_advance include/linux/iov_iter.h:271 [inline]
>>  _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
>>  copy_to_iter include/linux/uio.h:197 [inline]
>>  simple_copy_to_iter net/core/datagram.c:532 [inline]
>>  __skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
>>  skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
>>  skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
>>  netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
>>  sock_recvmsg_nosec net/socket.c:1044 [inline]
>>  sock_recvmsg net/socket.c:1066 [inline]
>>  __sys_recvfrom+0x476/0x860 net/socket.c:2246
>>  __do_sys_recvfrom net/socket.c:2264 [inline]
>>  __se_sys_recvfrom net/socket.c:2260 [inline]
>>  __x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
>>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
>> 
>> Uninit was created at:
>>  slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
>>  slab_alloc_node mm/slub.c:3478 [inline]
>>  kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
>>  kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
>>  __alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
>>  alloc_skb include/linux/skbuff.h:1286 [inline]
>>  tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline]
>>  tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170
>>  tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324
>>  genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline]
>>  genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
>>  genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067
>>  netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545
>>  genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076
>>  netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
>>  netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368
>>  netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910
>>  sock_sendmsg_nosec net/socket.c:730 [inline]
>>  __sock_sendmsg net/socket.c:745 [inline]
>>  ____sys_sendmsg+0x997/0xd60 net/socket.c:2588
>>  ___sys_sendmsg+0x271/0x3b0 net/socket.c:2642
>>  __sys_sendmsg net/socket.c:2671 [inline]
>>  __do_sys_sendmsg net/socket.c:2680 [inline]
>>  __se_sys_sendmsg net/socket.c:2678 [inline]
>>  __x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678
>>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
>> 
>> Bytes 34-35 of 36 are uninitialized
>> Memory access of size 36 starts at ffff88802d464a00
>> Data copied to user address 00007ff55033c0a0
>> 
>> CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
>> =====================================================
>> 
>> tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is
>> calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and
>> the length of TLV value passed as an argument, and aligns the result to a
>> multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes.
>> 
>> If the size of struct tlv_desc plus the length of TLV value is not aligned,
>> the current implementation leaves the remaining bytes uninitialized. This
>> is the cause of the above kernel-infoleak issue.
>> 
>> This patch resolves this issue by clearing data up to an aligned size.
>> 
>> Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
>> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
> 
> Thanks Yoshida-san,
> 
> I agree with both your analysis and that the fix is correct.
> I also agree that the problem was introduced by the cited commit.
> 
> I did wonder if there would be an advantage to only zeroing the
> otherwise uninitialised portion of tlv, but I guess that the complexity
> isn't worth any gain: all of TLV likely fits into a single cacheline
> anyway.
> 
> Reviewed-by: Simon Horman <horms@kernel.org>

Hi Simon,

Thank you so much for always reviewing my work :)

Shigeru

> 
>> ---
>>  net/tipc/netlink_compat.c | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
>> index 5bc076f2fa74..c763008a8adb 100644
>> --- a/net/tipc/netlink_compat.c
>> +++ b/net/tipc/netlink_compat.c
>> @@ -102,6 +102,7 @@ static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
>>  		return -EMSGSIZE;
>>  
>>  	skb_put(skb, TLV_SPACE(len));
>> +	memset(tlv, 0, TLV_SPACE(len));
>>  	tlv->tlv_type = htons(type);
>>  	tlv->tlv_len = htons(TLV_LENGTH(len));
>>  	if (len && data)
>> -- 
>> 2.41.0
>> 
>> 
>
patchwork-bot+netdevbpf@kernel.org Nov. 13, 2023, 11:10 a.m. UTC | #3 
Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Sat, 11 Nov 2023 01:39:47 +0900 you wrote:
> KMSAN reported the following kernel-infoleak issue:
> 
> =====================================================
> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
> BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
> BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
> BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
> BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
>  instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>  copy_to_user_iter lib/iov_iter.c:24 [inline]
>  iterate_ubuf include/linux/iov_iter.h:29 [inline]
>  iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
>  iterate_and_advance include/linux/iov_iter.h:271 [inline]
>  _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
>  copy_to_iter include/linux/uio.h:197 [inline]
>  simple_copy_to_iter net/core/datagram.c:532 [inline]
>  __skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
>  skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
>  skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
>  netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
>  sock_recvmsg_nosec net/socket.c:1044 [inline]
>  sock_recvmsg net/socket.c:1066 [inline]
>  __sys_recvfrom+0x476/0x860 net/socket.c:2246
>  __do_sys_recvfrom net/socket.c:2264 [inline]
>  __se_sys_recvfrom net/socket.c:2260 [inline]
>  __x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> 
> [...]

Here is the summary with links:
  - [net] tipc: Fix kernel-infoleak due to uninitialized TLV value
    https://git.kernel.org/netdev/net/c/fb317eb23b5e

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 5bc076f2fa74..c763008a8adb 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -102,6 +102,7 @@  static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
 		return -EMSGSIZE;
 
 	skb_put(skb, TLV_SPACE(len));
+	memset(tlv, 0, TLV_SPACE(len));
 	tlv->tlv_type = htons(type);
 	tlv->tlv_len = htons(TLV_LENGTH(len));
 	if (len && data)