* [PATCH net] xfrm_user: prevent leaking 2 bytes of kernel memory
@ 2018-06-19 4:35 Eric Dumazet
2018-06-19 12:59 ` Steffen Klassert
0 siblings, 1 reply; 2+ messages in thread
From: Eric Dumazet @ 2018-06-19 4:35 UTC (permalink / raw
To: David S . Miller
Cc: netdev, Eric Dumazet, Eric Dumazet, Steffen Klassert, Herbert Xu
struct xfrm_userpolicy_type has two holes, so we should not
use C99 style initializer.
KMSAN report:
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:113
kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
copyout lib/iov_iter.c:140 [inline]
_copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
copy_to_iter include/linux/uio.h:106 [inline]
skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
sock_recvmsg_nosec net/socket.c:802 [inline]
sock_recvmsg+0x1d6/0x230 net/socket.c:809
___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
__sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
__do_sys_recvmmsg net/socket.c:2485 [inline]
__se_sys_recvmmsg net/socket.c:2481 [inline]
__x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x446ce9
RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
__msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
__nla_put lib/nlattr.c:569 [inline]
nla_put+0x276/0x340 lib/nlattr.c:627
copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
__netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
netlink_dump_start include/linux/netlink.h:214 [inline]
xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg net/socket.c:639 [inline]
___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
__sys_sendmsg net/socket.c:2155 [inline]
__do_sys_sendmsg net/socket.c:2164 [inline]
__se_sys_sendmsg net/socket.c:2162 [inline]
__x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Local variable description: ----upt.i@dump_one_policy
Variable was created at:
dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
Byte 130 of 137 is uninitialized
Memory access starts at ffff88019550407f
Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
---
net/xfrm/xfrm_user.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 080035f056d992c49f8cbcc776d579c9769c67eb..1e50b70ad668068235c9054f5b0c9ff0d938d07f 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1671,9 +1671,11 @@ static inline unsigned int userpolicy_type_attrsize(void)
#ifdef CONFIG_XFRM_SUB_POLICY
static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
{
- struct xfrm_userpolicy_type upt = {
- .type = type,
- };
+ struct xfrm_userpolicy_type upt;
+
+ /* Sadly there are two holes in struct xfrm_userpolicy_type */
+ memset(&upt, 0, sizeof(upt));
+ upt.type = type;
return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
}
--
2.18.0.rc1.244.gcf134e6275-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] xfrm_user: prevent leaking 2 bytes of kernel memory
2018-06-19 4:35 [PATCH net] xfrm_user: prevent leaking 2 bytes of kernel memory Eric Dumazet
@ 2018-06-19 12:59 ` Steffen Klassert
0 siblings, 0 replies; 2+ messages in thread
From: Steffen Klassert @ 2018-06-19 12:59 UTC (permalink / raw
To: Eric Dumazet; +Cc: David S . Miller, netdev, Eric Dumazet, Herbert Xu
On Mon, Jun 18, 2018 at 09:35:07PM -0700, Eric Dumazet wrote:
> struct xfrm_userpolicy_type has two holes, so we should not
> use C99 style initializer.
>
> KMSAN report:
>
> BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
> CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x185/0x1d0 lib/dump_stack.c:113
> kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
> kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
> kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
> copyout lib/iov_iter.c:140 [inline]
> _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
> copy_to_iter include/linux/uio.h:106 [inline]
> skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
> skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
> netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
> sock_recvmsg_nosec net/socket.c:802 [inline]
> sock_recvmsg+0x1d6/0x230 net/socket.c:809
> ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
> __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
> do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
> __do_sys_recvmmsg net/socket.c:2485 [inline]
> __se_sys_recvmmsg net/socket.c:2481 [inline]
> __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
> do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x446ce9
> RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
> RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
> RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
> RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
> R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
> R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
>
> Uninit was stored to memory at:
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
> kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
> kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
> kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
> __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
> __nla_put lib/nlattr.c:569 [inline]
> nla_put+0x276/0x340 lib/nlattr.c:627
> copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
> dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
> xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
> xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
> netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
> __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
> netlink_dump_start include/linux/netlink.h:214 [inline]
> xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
> netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
> xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
> netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
> netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
> netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
> sock_sendmsg_nosec net/socket.c:629 [inline]
> sock_sendmsg net/socket.c:639 [inline]
> ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
> __sys_sendmsg net/socket.c:2155 [inline]
> __do_sys_sendmsg net/socket.c:2164 [inline]
> __se_sys_sendmsg net/socket.c:2162 [inline]
> __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
> do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> Local variable description: ----upt.i@dump_one_policy
> Variable was created at:
> dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
> xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
>
> Byte 130 of 137 is uninitialized
> Memory access starts at ffff88019550407f
>
> Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Cc: Steffen Klassert <steffen.klassert@secunet.com>
> Cc: Herbert Xu <herbert@gondor.apana.org.au>
> ---
> net/xfrm/xfrm_user.c | 8 +++++---
It is a fix for xfrm, so I applied it
to the ipsec tree.
Thanks a lot Eric!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-06-19 12:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-19 4:35 [PATCH net] xfrm_user: prevent leaking 2 bytes of kernel memory Eric Dumazet
2018-06-19 12:59 ` Steffen Klassert
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.