From patchwork Wed May 2 21:53:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 10376699 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 040D46037D for ; Wed, 2 May 2018 22:13:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D702929296 for ; Wed, 2 May 2018 22:13:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7CF03295A4; Wed, 2 May 2018 22:09:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD1D12A2A0 for ; Wed, 2 May 2018 21:53:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751618AbeEBVxy (ORCPT ); Wed, 2 May 2018 17:53:54 -0400 Received: from mail-wr0-f193.google.com ([209.85.128.193]:33769 "EHLO mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751594AbeEBVxx (ORCPT ); Wed, 2 May 2018 17:53:53 -0400 Received: by mail-wr0-f193.google.com with SMTP id o4-v6so15515908wrm.0 for ; Wed, 02 May 2018 14:53:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=IBCzDPHLjuwYQSCmqQZjnPjvqE4jAbok1mEUud/L5Lw=; b=JEPZVE28bekATLBMWCRCPIiWmZR3WeXJs51IHHeIaYhgqPPuWr5tbTeTMvM3DEAtiZ FtF6GBVPx1+GqAjHsZeU2wkrxW8VnM50zlFLn+GS6cumdgrecgeoXl3I7kesmZOlPCKR Usjm0NQmCcIAzB2z920nyINiFjqxgRJVABGWjoTFLgbB0Mw+OQUbNkcP2sdctEvXBajF cG+SMNYZ86CYgzEBXI4EpsEhcaGq3HNXZT2qiL+6faY/Wjp7FTmBNvFGGTYNKoTVseqM SXnfWygrCgZMsj6jgeyMwn4vubOGUA8kUbjbxa3TQOzMTRRPrGvez4R4NKXMqwAkPXDF 4r8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=IBCzDPHLjuwYQSCmqQZjnPjvqE4jAbok1mEUud/L5Lw=; b=iqiTMj52wk58mcgA5VJQr5EsrxTaBUDXmBWnzrrADNSAx9LvGi62A/IeMd3JObYmGb gj79fUt61ryvNyH96A50SaZuvcRa6qW4HQnykv2uJbMND7YPpoWnwtyJx/Klj4RfWKgf 2MWjrAp7RdqbD6uh5/A22qhW+XruU5L/n52siLwYjomAntXIeGl3fr67sFOJM+z9Pu5w lARFTpXfURuGdbKCbjS5o1VikXAqKxMauKzGNju1wO67XH2wDwwmwI7sEWe0t0ONmcsF Tu9EoQL6odv4EEn8qxRI+8A2Q+R5TEpepXgxTcMYTFUZcFS2kntS9eMZBmQEtLqioPnn ymkA== X-Gm-Message-State: ALQs6tCiU5OEVf8Edmsi3FhTKwAAB3FVyyhPa3l84EZZy/IJOm4cEDxB Mmbl/bRD/tQ0JDfohyoRtwphGg== X-Google-Smtp-Source: AB8JxZrDCdKHTFlRkfCZgciN/PH7ELKuFP69j52hpl0kQk1M1fxiCHa4DBWti/HGzuFYhiJ7TfkXAA== X-Received: by 2002:adf:9787:: with SMTP id s7-v6mr17452225wrb.61.1525298032331; Wed, 02 May 2018 14:53:52 -0700 (PDT) Received: from localhost ([2620:15c:2c4:201:f5a:7eca:440a:3ead]) by smtp.gmail.com with ESMTPSA id r200sm18621611wmb.39.2018.05.02.14.53.50 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 02 May 2018 14:53:51 -0700 (PDT) From: Eric Dumazet To: "David S . Miller" Cc: netdev , Eric Dumazet , Eric Dumazet , Santosh Shilimkar , linux-rdma Subject: [PATCH net] rds: do not leak kernel memory to user land Date: Wed, 2 May 2018 14:53:39 -0700 Message-Id: <20180502215339.117702-1-edumazet@google.com> X-Mailer: git-send-email 2.17.0.441.gb46fe60e1d-goog Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP syzbot/KMSAN reported an uninit-value in put_cmsg(), originating from rds_cmsg_recv(). Simply clear the structure, since we have holes there, or since rx_traces might be smaller than RDS_MSG_RX_DGRAM_TRACE_MAX. BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline] BUG: KMSAN: uninit-value in put_cmsg+0x600/0x870 net/core/scm.c:242 CPU: 0 PID: 4459 Comm: syz-executor582 Not tainted 4.16.0+ #87 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 kmsan_internal_check_memory+0x135/0x1e0 mm/kmsan/kmsan.c:1157 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 copy_to_user include/linux/uaccess.h:184 [inline] put_cmsg+0x600/0x870 net/core/scm.c:242 rds_cmsg_recv net/rds/recv.c:570 [inline] rds_recvmsg+0x2db5/0x3170 net/rds/recv.c:657 sock_recvmsg_nosec net/socket.c:803 [inline] sock_recvmsg+0x1d0/0x230 net/socket.c:810 ___sys_recvmsg+0x3fb/0x810 net/socket.c:2205 __sys_recvmsg net/socket.c:2250 [inline] SYSC_recvmsg+0x298/0x3c0 net/socket.c:2262 SyS_recvmsg+0x54/0x80 net/socket.c:2257 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Fixes: 3289025aedc0 ("RDS: add receive message trace used by application") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Santosh Shilimkar Cc: linux-rdma --- net/rds/recv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rds/recv.c b/net/rds/recv.c index de50e2126e404aed541b8d268a28da08154bf08d..dc67458b52f0043c2328d4a77a43536e7c62b0ed 100644 --- a/net/rds/recv.c +++ b/net/rds/recv.c @@ -558,6 +558,7 @@ static int rds_cmsg_recv(struct rds_incoming *inc, struct msghdr *msg, struct rds_cmsg_rx_trace t; int i, j; + memset(&t, 0, sizeof(t)); inc->i_rx_lat_trace[RDS_MSG_RX_CMSG] = local_clock(); t.rx_traces = rs->rs_rx_traces; for (i = 0; i < rs->rs_rx_traces; i++) {