• Eric Dumazet's avatar
    l2tp: fix infoleak in l2tp_ip6_recvmsg() · af6822a7
    Eric Dumazet authored
    [ Upstream commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 ]
    
    Back in 2013 Hannes took care of most of such leaks in commit
    bceaa902 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
    
    But the bug in l2tp_ip6_recvmsg() has not been fixed.
    
    syzbot report :
    
    BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
    CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x173/0x1d0 lib/dump_stack.c:113
     kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
     kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
     kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
     _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
     copy_to_user include/linux/uaccess.h:174 [inline]
     move_addr_to_user+0x311/0x570 net/socket.c:227
     ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
     do_recvmmsg+0x646/0x10c0 net/socket.c:2390
     __sys_recvmmsg net/socket.c:2469 [inline]
     __do_sys_recvmmsg net/socket.c:2492 [inline]
     __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
     __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
     do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
     entry_SYSCALL_64_after_hwframe+0x63/0xe7
    RIP: 0033:0x445819
    Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
    RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
    RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
    RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
    R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf
    
    Local variable description: ----addr@___sys_recvmsg
    Variable was created at:
     ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
     do_recvmmsg+0x646/0x10c0 net/socket.c:2390
    
    Bytes 0-31 of 32 are uninitialized
    Memory access of size 32 starts at ffff8880ae62fbb0
    Data copied to user address 0000000020000000
    
    Fixes: a32e0eec ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    af6822a7
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.cocciconfig Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...