lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 Sep 2020 08:13:51 +0200 From: Greg KH <greg@...ah.com> To: Anant Thazhemadam <anant.thazhemadam@...il.com> Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, Jakub Kicinski <kuba@...nel.org>, syzbot+09a5d591c1f98cf5efcb@...kaller.appspotmail.com, "David S. Miller" <davem@...emloft.net>, linux-kernel-mentees@...ts.linuxfoundation.org Subject: Re: [Linux-kernel-mentees] [PATCH] net: fix uninit value error in __sys_sendmmsg On Sun, Sep 13, 2020 at 11:26:39AM +0530, Anant Thazhemadam wrote: > The crash report showed that there was a local variable; > > ----iovstack.i@...ys_sendmmsg created at: > ___sys_sendmsg net/socket.c:2388 [inline] > __sys_sendmmsg+0x6db/0xc90 net/socket.c:2480 > > that was left uninitialized. > > The contents of iovstack are of interest, since the respective pointer > is passed down as an argument to sendmsg_copy_msghdr as well. > Initializing this contents of this stack prevents this bug from happening. > > Since the memory that was initialized is freed at the end of the function > call, memory leaks are not likely to be an issue. > > syzbot seems to have triggered this error by passing an array of 0's as > a parameter while making the initial system call. > > Reported-by: syzbot+09a5d591c1f98cf5efcb@...kaller.appspotmail.com > Tested-by: syzbot+09a5d591c1f98cf5efcb@...kaller.appspotmail.com > Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com> > --- > net/socket.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/socket.c b/net/socket.c > index 0c0144604f81..d74443dfd73b 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -2396,6 +2396,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg, > { > struct sockaddr_storage address; > struct iovec iovstack[UIO_FASTIOV], *iov = iovstack; > + memset(iov, 0, UIO_FASTIOV); > ssize_t err; > > msg_sys->msg_name = &address; I don't think you built this code change, otherwise you would have seen that it adds a build warning to the system, right? :(
Powered by blists - more mailing lists