| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 9 May 2021 13:18:58 +0100
From: Phillip Potter <phil@...lpotter.co.uk>
To: davem@...emloft.net
Cc: kuba@...nel.org, yhs@...com, ast@...nel.org,
johannes.berg@...el.com, rdunlap@...radead.org,
0x7f454c46@...il.com, yangyingliang@...wei.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] netlink: netlink_sendmsg: memset unused tail bytes in skb
When allocating the skb within netlink_sendmsg, with certain supplied
len arguments, extra bytes are allocated at the end of the data buffer,
due to SKB_DATA_ALIGN giving a larger size within __alloc_skb for
alignment reasons. This means that after using skb_put with the same
len value and then copying data into the skb, the skb tail area is
non-zero in size and contains uninitialised bytes. Wiping this area
(if it exists) fixes a KMSAN-found uninit-value bug reported by syzbot at:
https://syzkaller.appspot.com/bug?id=3e63bcec536b7136b54c72e06adeb87dc6519f69
Reported-by: syzbot+a73d24a22eeeebe5f244@...kaller.appspotmail.com
Signed-off-by: Phillip Potter <phil@...lpotter.co.uk>
---
net/netlink/af_netlink.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 3a62f97acf39..e54321b63f98 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1914,6 +1914,9 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
goto out;
}
+ if (skb->end - skb->tail)
+ memset(skb_tail_pointer(skb), 0, skb->end - skb->tail);
+
err = security_netlink_send(sk, skb);
if (err) {
kfree_skb(skb);
--
2.30.2
Powered by blists - more mailing lists