lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <iSkQcHVqeUy7WNAqfrY9xUAibm1YtrTUPIhZ_yjoHmyDissbQj04N2-quW8BURs4cddEB6bDp0BfXh0LfdYwUYKQudEaHv-4TjEOTI_rCic=@1g4.org>
Date: Wed, 21 Jan 2026 15:26:22 +0000
From: Paul Moses <p@....org>
To: Eric Dumazet <edumazet@...gle.com>
Cc: netdev@...r.kernel.org, Jamal Hadi Salim <jhs@...atatu.com>, Cong Wang <xiyou.wangcong@...il.com>, Jiri Pirko <jiri@...nulli.us>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH net v3 1/7] net/sched: act_gate: zero-initialize netlink dump struct

Was looking at tcfg_gate_entry and tcf_gate along with this instance of nla_put, but I can't find my notes and I don't see the path currently. Like I said, remove it, I don't care.

    if (nla_put(skb, TCA_GATE_PARMS, sizeof(opt), &opt))
        goto nla_put_failure;


I have months invested into the UAF though and only just in the past 24 hours was able to stabilize into user space, so no effort whatsoever has been put into defeating kaslr or anything requiring infoleak.

Look forward to more input on the much larger issue at hand. 

Thanks
Paul




On Wednesday, January 21st, 2026 at 8:03 AM, Eric Dumazet <edumazet@...gle.com> wrote:

>
>
> On Wed, Jan 21, 2026 at 3:01 PM Paul Moses p@....org wrote:
>
> > padding? why does fzero-init-padding-bits exist?
>
>
> Which padding are you referring to?
>
> $ pahole -C tc_gate --hex net/sched/act_gate.o
> struct tc_gate {
> __u32 index; /* 0 0x4 /
> __u32 capab; / 0x4 0x4 /
> int action; / 0x8 0x4 /
> int refcnt; / 0xc 0x4 /
> int bindcnt; / 0x10 0x4 /
>
> / size: 20, cachelines: 1, members: 5 /
> / last cacheline: 20 bytes */
> };
>
> I see no padding.
>
> > On Wednesday, January 21st, 2026 at 7:48 AM, Eric Dumazet edumazet@...gle.com wrote:
> >
> > > On Wed, Jan 21, 2026 at 2:39 PM Paul Moses p@....org wrote:
> > >
> > > > Yes, it's not proven so you might be right, I knew it was 4 bytes at best. We can do next or toss it, I don't feel strongly either way.
> > >
> > > These bytes are cleared by C compilers.
> > >
> > > https://en.cppreference.com/w/c/language/struct_initialization.html
> > >
> > > Only holes might be left uninitialized.
> > >
> > > > On Wednesday, January 21st, 2026 at 7:25 AM, Eric Dumazet edumazet@...gle.com wrote:
> > > >
> > > > > On Wed, Jan 21, 2026 at 2:20 PM Paul Moses p@....org wrote:
> > > > >
> > > > > > Zero-initialize the dump struct before selective assignment to avoid
> > > > > > leaking stack padding in netlink replies. This matches other actions
> > > > > > (e.g. act_connmark) that zero-init their dump structs.
> > > > > >
> > > > > > Fixes: a51c328df310 ("net: qos: introduce a gate control flow action")
> > > > > > Cc: stable@...r.kernel.org
> > > > > > Signed-off-by: Paul Moses p@....org
> > > > > > ---
> > > > >
> > > > > I do not see a bug to fix, current code is fine.
> > > > >
> > > > > act_connmark problem was that "struct tc_connmark" had a 16bit hole.
> > > > >
> > > > > No such issue for struct tc_gate.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ