| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251227073743.17272-1-alperyasinak1@gmail.com>
Date: Sat, 27 Dec 2025 10:37:42 +0300
From: Alper Ak <alperyasinak1@...il.com>
To: davem@...emloft.net,
dsahern@...nel.org,
edumazet@...gle.com,
kuba@...nel.org
Cc: Alper Ak <alperyasinak1@...il.com>,
Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>,
Kuniyuki Iwashima <kuniyu@...gle.com>,
Breno Leitao <leitao@...ian.org>,
Willem de Bruijn <willemb@...gle.com>,
netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] net: ipv4: ipmr: Prevent information leak in ipmr_sk_ioctl()
struct sioc_vif_req has a padding hole after the vifi field due to
alignment requirements. These padding bytes were uninitialized,
potentially leaking kernel stack memory to userspace when the
struct is copied via sock_ioctl_inout().
Reported by Smatch:
net/ipv4/ipmr.c:1575 ipmr_sk_ioctl() warn: check that 'buffer'
doesn't leak information (struct has a hole after 'vifi')
Fixes: e1d001fa5b47 ("net: ioctl: Use kernel memory on protocol ioctl callbacks")
Signed-off-by: Alper Ak <alperyasinak1@...il.com>
---
net/ipv4/ipmr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index ca9eaee4c2ef..18441fbe7ed7 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1571,6 +1571,7 @@ int ipmr_sk_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
/* These userspace buffers will be consumed by ipmr_ioctl() */
case SIOCGETVIFCNT: {
struct sioc_vif_req buffer;
+ memset(&buffer, 0, sizeof(buffer));
return sock_ioctl_inout(sk, cmd, arg, &buffer,
sizeof(buffer));
--
2.43.0
Powered by blists - more mailing lists