lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aQoJTvFoS9rZ4-cT@horms.kernel.org>
Date: Tue, 4 Nov 2025 14:10:22 +0000
From: Simon Horman <horms@...nel.org>
To: Ranganath V N <vnranganath.20@...il.com>
Cc: Jamal Hadi Salim <jhs@...atatu.com>,
	Cong Wang <xiyou.wangcong@...il.com>, Jiri Pirko <jiri@...nulli.us>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	skhan@...uxfoundation.org, david.hunter.linux@...il.com,
	khalid@...nel.org,
	syzbot+0c85cae3350b7d486aee@...kaller.appspotmail.com
Subject: Re: [PATCH v2 1/2] net: sched: act_ife: initialize struct tc_ife to
 fix KMSAN kernel-infoleak

On Sat, Nov 01, 2025 at 06:04:47PM +0530, Ranganath V N wrote:
> Fix a KMSAN kernel-infoleak detected  by the syzbot .
> 
> [net?] KMSAN: kernel-infoleak in __skb_datagram_iter
> 
> In tcf_ife_dump(), the variable 'opt' was partially initialized using a
> designatied initializer. While the padding bytes are reamined
> uninitialized. nla_put() copies the entire structure into a
> netlink message, these uninitialized bytes leaked to userspace.
> 
> Initialize the structure with memset before assigning its fields
> to ensure all members and padding are cleared prior to beign copied.
> 
> This change silences the KMSAN report and prevents potential information
> leaks from the kernel memory.
> 
> This fix has been tested and validated by syzbot. This patch closes the
> bug reported at the following syzkaller link and ensures no infoleak.
> 
> Reported-by: syzbot+0c85cae3350b7d486aee@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0c85cae3350b7d486aee
> Tested-by: syzbot+0c85cae3350b7d486aee@...kaller.appspotmail.com
> Fixes: ef6980b6becb ("introduce IFE action")
> Signed-off-by: Ranganath V N <vnranganath.20@...il.com>
> ---
>  net/sched/act_ife.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
> index 107c6d83dc5c..7c6975632fc2 100644
> --- a/net/sched/act_ife.c
> +++ b/net/sched/act_ife.c
> @@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
>  	unsigned char *b = skb_tail_pointer(skb);
>  	struct tcf_ife_info *ife = to_ife(a);
>  	struct tcf_ife_params *p;
> -	struct tc_ife opt = {
> -		.index = ife->tcf_index,
> -		.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
> -		.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
> -	};
> +	struct tc_ife opt;
>  	struct tcf_t t;
>  
> +	memset(&opt, 0, sizeof(opt));
> +
> +	opt.index = ife->tcf_index,
> +	opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
> +	opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,

I don't think it makes any difference to the compiled code.
But I think it would be clearer to use ';' rather than ','
at the end of each of the three lines above.

Likewise in patch 2/2.

> +
>  	spin_lock_bh(&ife->tcf_lock);
>  	opt.action = ife->tcf_action;
>  	p = rcu_dereference_protected(ife->params,
> 
> -- 
> 2.43.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ