| Message ID | 20221104103216.2576427-1-glider@google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp310857wru;
Fri, 4 Nov 2022 03:37:01 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM6ScI/2v868XjwygL5zI2YHV1W/4Hnv9JfGzzA/gdRMrW+FfQHSWJVYuekfCw24UersJWPg
X-Received: by 2002:a05:6a00:2485:b0:561:c0a5:88aa with SMTP id
c5-20020a056a00248500b00561c0a588aamr35105270pfv.51.1667558221012;
Fri, 04 Nov 2022 03:37:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667558221; cv=none;
d=google.com; s=arc-20160816;
b=uCIvDc85XymlFdd4EjRdhMQydTa02pRjzVfO46rNbva3gjxU8bWyZPsYlaGR+c9mP7
9OX7OCWMIboRwc2bN1UufkB9Di+qatvGIitO9EruC4Hd8CDMTgu9nO9aox/ZvxUR0GTj
Bi8nXM8krK6crKWV95vJ4yGbb6/C9tTfeu9McEnLtm+cj2hhgUAA9GGoYv8+mb6A4KrH
xvwe8/iVE8UA/Bso1VhG4x0I+yedNC5v58qsMvkiFCgI2uF9hBMgr1A5zJ6ojR8SOdSG
nF4gjxphzQeQ14//RCNwNHQXOm3k0JfYoXT4PT0sNGGHnDG8RHObQJXx/tQB3zEpNZBx
iSew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date
:dkim-signature;
bh=1SoVxq2eq/o0I9xtkXlt1Kp3g3hRPftcZsAVlrUyHqU=;
b=RA8Z+2fXjXjH1x8Ot0HuAeBVWtMizF9HKcs4D+YEaDcvxWMk45uabyOovxhAwBK5S/
CDb1pyxr+pavfy1nOaxTs/qxmVqUd4aAM+yzZP3Ty0C8JHbN/9RIJN8Ua3UAHbCiRZ61
EoINzNubQrQLSlGOloDQwenJICX74JjdllwXE4dhKzlihacT+eokO1W7/F7vDpPZcJeY
Ig3+ILTtkhoqhJ4mcDWN+nsbDnaVYRIntPDQwcmsi3qYVxE5E4CQkP6eNmSheUcryLrJ
7lcQZY7o1v6eOC6lT4/NZXoQFTajOalZlZhFDdfJdnb7osO0jgqGq6j+zGZVlrehb41e
tDWQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@google.com header.s=20210112 header.b=ZyllgC7z;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
d11-20020a056a00244b00b0056c07a694dasi4749169pfj.158.2022.11.04.03.36.47;
Fri, 04 Nov 2022 03:37:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@google.com header.s=20210112 header.b=ZyllgC7z;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231749AbiKDKcb (ORCPT <rfc822;jimliu8233@gmail.com> + 99 others);
Fri, 4 Nov 2022 06:32:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51794 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231537AbiKDKcY (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 4 Nov 2022 06:32:24 -0400
Received: from mail-ej1-x64a.google.com (mail-ej1-x64a.google.com
[IPv6:2a00:1450:4864:20::64a])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F61B264B5
for <linux-kernel@vger.kernel.org>;
Fri, 4 Nov 2022 03:32:22 -0700 (PDT)
Received: by mail-ej1-x64a.google.com with SMTP id
sh31-20020a1709076e9f00b007ae32b7eb51so1003270ejc.9
for <linux-kernel@vger.kernel.org>;
Fri, 04 Nov 2022 03:32:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20210112;
h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
:date:message-id:reply-to;
bh=1SoVxq2eq/o0I9xtkXlt1Kp3g3hRPftcZsAVlrUyHqU=;
b=ZyllgC7zGELy6cGe6p7Ftxhj8uOxfJaMzP88cFA/WXJtT+qO9qEKdYh2GUYYXzZBp1
ebZGF0WzM4X8dHtN1yeXD5w/b6/PjExUSKtNOHeEmDRCDEZ6GrJpc1EH635/m1bf8X/U
JPyeRheqFhpSuwFWPDhsBZg+qCmt/G9V+dyxE3/74K5r4YCc0g87eqKWo864kSGauAQG
vmSe2ExhzxAoqrMD/3+3DGZqK0HNQtP3qvOmUj9wGqI6ATi9XD/e3cK5KNkzLkjEuoI/
/0xHcyZWKoHq/+tjyLCnxB5ZziHh4OmbN65tgTrVWrbHDQYLlKqnLmO+gVvqSEgBWKIL
3ecA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=1SoVxq2eq/o0I9xtkXlt1Kp3g3hRPftcZsAVlrUyHqU=;
b=d3WAPzJGZqD93nn1JgEcasgWNzX/QED/zaybYPV+vU+bAPngN9HbzkKhRdj9yIm9lz
Nz35A23qmSRknqZXPdYZsiM5j1lJdRN8XQcMKuCHII6vYz2ReOGfXuYnHWORlNXd25RC
3XCKmbs2i8yM76tkLxMJY5tlvI3ePWWE5lpyMySPcdwLGEv1J8MPrOJlkYlqEU+3bveP
37fIYX6YwxymXVPCVnNYYBDRUfOlWWo3CnDOoguWWkdtAXX4m7ZvgDq/edd1zVHN/3z9
H6qEL95TLDLuJ8DggjqLKSVNqm4J4ttpKKodNUX/d3dbF1jMN8zqrkEmYcf4Ckmj60yo
Z+kA==
X-Gm-Message-State: ACrzQf3Jn7PMKPaYN+qeQvn70SIalw6ROuAtdJOygafPrNjjtj5v6ByR
7MDsue/15HTYBT3pvHvJhUU4TcK3mOQ=
X-Received: from glider.muc.corp.google.com
([2a00:79e0:9c:201:6696:b522:be5f:6acc])
(user=glider job=sendgmr) by 2002:a05:6402:616:b0:463:e2cd:a88d with SMTP id
n22-20020a056402061600b00463e2cda88dmr15251520edv.400.1667557940714; Fri, 04
Nov 2022 03:32:20 -0700 (PDT)
Date: Fri, 4 Nov 2022 11:32:16 +0100
Mime-Version: 1.0
X-Mailer: git-send-email 2.38.1.431.g37b22c650d-goog
Message-ID: <20221104103216.2576427-1-glider@google.com>
Subject: [PATCH] ipv6: addrlabel: fix infoleak when sending struct
ifaddrlblmsg to network
From: Alexander Potapenko <glider@google.com>
To: glider@google.com
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org,
syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1748561529119788305?=
X-GMAIL-MSGID: =?utf-8?q?1748561529119788305?=
|
| Series |
ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network
|
|
Commit Message
Alexander Potapenko
Nov. 4, 2022, 10:32 a.m. UTC
When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved
remained uninitialized, resulting in a 1-byte infoleak:
BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841
__netdev_start_xmit ./include/linux/netdevice.h:4841
netdev_start_xmit ./include/linux/netdevice.h:4857
xmit_one net/core/dev.c:3590
dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606
__dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256
dev_queue_xmit ./include/linux/netdevice.h:3009
__netlink_deliver_tap_skb net/netlink/af_netlink.c:307
__netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325
netlink_deliver_tap net/netlink/af_netlink.c:338
__netlink_sendskb net/netlink/af_netlink.c:1263
netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272
netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360
nlmsg_unicast ./include/net/netlink.h:1061
rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758
ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628
rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
...
Uninit was created at:
slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742
slab_alloc_node mm/slub.c:3398
__kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437
__do_kmalloc_node mm/slab_common.c:954
__kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975
kmalloc_reserve net/core/skbuff.c:437
__alloc_skb+0x27a/0xab0 net/core/skbuff.c:509
alloc_skb ./include/linux/skbuff.h:1267
nlmsg_new ./include/net/netlink.h:964
ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608
rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082
netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540
rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109
netlink_unicast_kernel net/netlink/af_netlink.c:1319
netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345
netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921
...
This patch ensures that the reserved field is always initialized.
Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com
Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.")
Signed-off-by: Alexander Potapenko <glider@google.com>
---
net/ipv6/addrlabel.c | 1 +
1 file changed, 1 insertion(+)
Comments
> When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved > remained uninitialized, resulting in a 1-byte infoleak: > > BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 > __netdev_start_xmit ./include/linux/netdevice.h:4841 > netdev_start_xmit ./include/linux/netdevice.h:4857 > xmit_one net/core/dev.c:3590 > dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 > __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 > dev_queue_xmit ./include/linux/netdevice.h:3009 > __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 > __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 > netlink_deliver_tap net/netlink/af_netlink.c:338 > __netlink_sendskb net/netlink/af_netlink.c:1263 > netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 > netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 > nlmsg_unicast ./include/net/netlink.h:1061 > rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 > ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 > rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 > ... > Uninit was created at: > slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 > slab_alloc_node mm/slub.c:3398 > __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 > __do_kmalloc_node mm/slab_common.c:954 > __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 > kmalloc_reserve net/core/skbuff.c:437 > __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 > alloc_skb ./include/linux/skbuff.h:1267 > nlmsg_new ./include/net/netlink.h:964 > ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 > rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 > netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 > rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 > netlink_unicast_kernel net/netlink/af_netlink.c:1319 > netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 > netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 > ... > > This patch ensures that the reserved field is always initialized. > > Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com > Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.") > Signed-off-by: Alexander Potapenko <glider@google.com> > --- > net/ipv6/addrlabel.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c > index 8a22486cf2702..17ac45aa7194c 100644 > --- a/net/ipv6/addrlabel.c > +++ b/net/ipv6/addrlabel.c > @@ -437,6 +437,7 @@ static void ip6addrlbl_putmsg(struct nlmsghdr *nlh, > { > struct ifaddrlblmsg *ifal = nlmsg_data(nlh); > ifal->ifal_family = AF_INET6; > + ifal->__ifal_reserved = 0; > ifal->ifal_prefixlen = prefixlen; > ifal->ifal_flags = 0; > ifal->ifal_index = ifindex; > -- > 2.38.1.431.g37b22c650d-goog > I see the command but can't find the corresponding bug. The email is sent to syzbot+HASH@syzkaller.appspotmail.com address but the HASH does not correspond to any known bug. Please double check the address.
> > This patch ensures that the reserved field is always initialized. > > Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com My bad, should be: Reported-by: syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com
>> >> This patch ensures that the reserved field is always initialized. >> >> Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com > > My bad, should be: > Reported-by: syzbot+fa5414772d5c445dac3c@syzkaller.appspotmail.com I see the command but can't find the corresponding bug. The email is sent to syzbot+HASH@syzkaller.appspotmail.com address but the HASH does not correspond to any known bug. Please double check the address.
On 11/4/22 4:32 AM, Alexander Potapenko wrote: > When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved > remained uninitialized, resulting in a 1-byte infoleak: > > BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 > __netdev_start_xmit ./include/linux/netdevice.h:4841 > netdev_start_xmit ./include/linux/netdevice.h:4857 > xmit_one net/core/dev.c:3590 > dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 > __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 > dev_queue_xmit ./include/linux/netdevice.h:3009 > __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 > __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 > netlink_deliver_tap net/netlink/af_netlink.c:338 > __netlink_sendskb net/netlink/af_netlink.c:1263 > netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 > netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 > nlmsg_unicast ./include/net/netlink.h:1061 > rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 > ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 > rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 > ... > Uninit was created at: > slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 > slab_alloc_node mm/slub.c:3398 > __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 > __do_kmalloc_node mm/slab_common.c:954 > __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 > kmalloc_reserve net/core/skbuff.c:437 > __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 > alloc_skb ./include/linux/skbuff.h:1267 > nlmsg_new ./include/net/netlink.h:964 > ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 > rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 > netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 > rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 > netlink_unicast_kernel net/netlink/af_netlink.c:1319 > netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 > netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 > ... > > This patch ensures that the reserved field is always initialized. > > Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com > Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.") > Signed-off-by: Alexander Potapenko <glider@google.com> > --- > net/ipv6/addrlabel.c | 1 + > 1 file changed, 1 insertion(+) > Reviewed-by: David Ahern <dsahern@kernel.org>
> On 11/4/22 4:32 AM, Alexander Potapenko wrote: >> When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved >> remained uninitialized, resulting in a 1-byte infoleak: >> >> BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 >> __netdev_start_xmit ./include/linux/netdevice.h:4841 >> netdev_start_xmit ./include/linux/netdevice.h:4857 >> xmit_one net/core/dev.c:3590 >> dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 >> __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 >> dev_queue_xmit ./include/linux/netdevice.h:3009 >> __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 >> __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 >> netlink_deliver_tap net/netlink/af_netlink.c:338 >> __netlink_sendskb net/netlink/af_netlink.c:1263 >> netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 >> netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 >> nlmsg_unicast ./include/net/netlink.h:1061 >> rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 >> ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 >> rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 >> ... >> Uninit was created at: >> slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 >> slab_alloc_node mm/slub.c:3398 >> __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 >> __do_kmalloc_node mm/slab_common.c:954 >> __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 >> kmalloc_reserve net/core/skbuff.c:437 >> __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 >> alloc_skb ./include/linux/skbuff.h:1267 >> nlmsg_new ./include/net/netlink.h:964 >> ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 >> rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 >> netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 >> rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 >> netlink_unicast_kernel net/netlink/af_netlink.c:1319 >> netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 >> netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 >> ... >> >> This patch ensures that the reserved field is always initialized. >> >> Reported-by: syzbot+3553517af6020c4f2813f1003fe76ef3cbffe98d@syzkaller.appspotmail.com >> Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.") >> Signed-off-by: Alexander Potapenko <glider@google.com> >> --- >> net/ipv6/addrlabel.c | 1 + >> 1 file changed, 1 insertion(+) >> > > Reviewed-by: David Ahern <dsahern@kernel.org> > > I see the command but can't find the corresponding bug. The email is sent to syzbot+HASH@syzkaller.appspotmail.com address but the HASH does not correspond to any known bug. Please double check the address.
Hello: This patch was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Fri, 4 Nov 2022 11:32:16 +0100 you wrote: > When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved > remained uninitialized, resulting in a 1-byte infoleak: > > BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 > __netdev_start_xmit ./include/linux/netdevice.h:4841 > netdev_start_xmit ./include/linux/netdevice.h:4857 > xmit_one net/core/dev.c:3590 > dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 > __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 > dev_queue_xmit ./include/linux/netdevice.h:3009 > __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 > __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 > netlink_deliver_tap net/netlink/af_netlink.c:338 > __netlink_sendskb net/netlink/af_netlink.c:1263 > netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 > netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 > nlmsg_unicast ./include/net/netlink.h:1061 > rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 > ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 > rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 > ... > Uninit was created at: > slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 > slab_alloc_node mm/slub.c:3398 > __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 > __do_kmalloc_node mm/slab_common.c:954 > __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 > kmalloc_reserve net/core/skbuff.c:437 > __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 > alloc_skb ./include/linux/skbuff.h:1267 > nlmsg_new ./include/net/netlink.h:964 > ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 > rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 > netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 > rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 > netlink_unicast_kernel net/netlink/af_netlink.c:1319 > netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 > netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 > ... > > [...] Here is the summary with links: - ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network https://git.kernel.org/netdev/net/c/c23fb2c82267 You are awesome, thank you!
> Hello: > > This patch was applied to netdev/net.git (master) > by David S. Miller <davem@davemloft.net>: > > On Fri, 4 Nov 2022 11:32:16 +0100 you wrote: >> When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved >> remained uninitialized, resulting in a 1-byte infoleak: >> >> BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 >> __netdev_start_xmit ./include/linux/netdevice.h:4841 >> netdev_start_xmit ./include/linux/netdevice.h:4857 >> xmit_one net/core/dev.c:3590 >> dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 >> __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 >> dev_queue_xmit ./include/linux/netdevice.h:3009 >> __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 >> __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 >> netlink_deliver_tap net/netlink/af_netlink.c:338 >> __netlink_sendskb net/netlink/af_netlink.c:1263 >> netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 >> netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 >> nlmsg_unicast ./include/net/netlink.h:1061 >> rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 >> ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 >> rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 >> ... >> Uninit was created at: >> slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 >> slab_alloc_node mm/slub.c:3398 >> __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 >> __do_kmalloc_node mm/slab_common.c:954 >> __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 >> kmalloc_reserve net/core/skbuff.c:437 >> __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 >> alloc_skb ./include/linux/skbuff.h:1267 >> nlmsg_new ./include/net/netlink.h:964 >> ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 >> rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 >> netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 >> rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 >> netlink_unicast_kernel net/netlink/af_netlink.c:1319 >> netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 >> netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 >> ... >> >> [...] > > Here is the summary with links: > - ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network > https://git.kernel.org/netdev/net/c/c23fb2c82267 > > You are awesome, thank you! > -- > Deet-doot-dot, I am a bot. > https://korg.docs.kernel.org/patchwork/pwbot.html > > I see the command but can't find the corresponding bug. The email is sent to syzbot+HASH@syzkaller.appspotmail.com address but the HASH does not correspond to any known bug. Please double check the address.
diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c index 8a22486cf2702..17ac45aa7194c 100644 --- a/net/ipv6/addrlabel.c +++ b/net/ipv6/addrlabel.c @@ -437,6 +437,7 @@ static void ip6addrlbl_putmsg(struct nlmsghdr *nlh, { struct ifaddrlblmsg *ifal = nlmsg_data(nlh); ifal->ifal_family = AF_INET6; + ifal->__ifal_reserved = 0; ifal->ifal_prefixlen = prefixlen; ifal->ifal_flags = 0; ifal->ifal_index = ifindex;