[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89iK0j6j+dvp0EnEzPi32-6nLaR2qJ1sHjPg9865TigzENA@mail.gmail.com>
Date: Wed, 21 Feb 2024 08:55:48 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Ryosuke Yasuoka <ryasuoka@...hat.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
anjali.k.kulkarni@...cle.com, lirongqing@...du.com, dhowells@...hat.com,
pctammela@...atatu.com, kuniyu@...zon.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+34ad5fab48f7bf510349@...kaller.appspotmail.com
Subject: Re: [PATCH net] netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
On Wed, Feb 21, 2024 at 8:42 AM Ryosuke Yasuoka <ryasuoka@...hat.com> wrote:
>
> syzbot reported the following uninit-value access issue [1]:
>
> netlink_to_full_skb() creates a new `skb` and puts the `skb->data`
> passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data
> size is specified as `len` and passed to skb_put_data(). This `len`
> is based on `skb->end` that is not data offset but buffer offset. The
> `skb->end` contains data and tailroom. Since the tailroom is not
> initialized when the new `skb` created, KMSAN detects uninitialized
> memory area when copying the data.
>
> This patch resolved this issue by correct the len from `skb->end` to
> `skb->len`, which is the actual data offset.
>
>
> Bytes 3852-3903 of 3904 are uninitialized
> Memory access of size 3904 starts at ffff88812ea1e000
> Data copied to user address 0000000020003280
>
> CPU: 1 PID: 5043 Comm: syz-executor297 Not tainted 6.7.0-rc5-syzkaller-00047-g5bd7ef53ffe5 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
>
> Fixes: 1853c9496460 ("netlink, mmap: transform mmap skb into full skb on taps")
> Reported-and-tested-by: syzbot+34ad5fab48f7bf510349@...kaller.appspotmailcom
> Closes: https://syzkaller.appspot.com/bug?extid=34ad5fab48f7bf510349 [1]
> Signed-off-by: Ryosuke Yasuoka <ryasuoka@...hat.com>
These vmalloc() skbs have caused so many issues, thanks for this fix.
Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists