lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAM0EoMmnDe+Re5P0YPiRTJ=N+4omhtv=r3i5iicav8R7hg6TTQ@mail.gmail.com>
Date: Fri, 12 Dec 2025 11:26:23 -0500
From: Jamal Hadi Salim <jhs@...atatu.com>
To: Vitaly Chikunov <vt@...linux.org>
Cc: Ranganath V N <vnranganath.20@...il.com>, linux-rt-devel@...ts.linux.dev, 
	edumazet@...gle.com, davem@...emloft.net, david.hunter.linux@...il.com, 
	horms@...nel.org, jiri@...nulli.us, khalid@...nel.org, kuba@...nel.org, 
	pabeni@...hat.com, xiyou.wangcong@...il.com, linux-kernel@...r.kernel.org, 
	netdev@...r.kernel.org, skhan@...uxfoundation.org
Subject: Re: [PATCH net v4 2/2] net: sched: act_ife: initialize struct tc_ife
 to fix KMSAN kernel-infoleak

On Thu, Dec 11, 2025 at 7:54 PM Vitaly Chikunov <vt@...linux.org> wrote:
>
> On Sun, Nov 09, 2025 at 02:43:36PM +0530, Ranganath V N wrote:
> > Fix a KMSAN kernel-infoleak detected  by the syzbot .
> >
> > [net?] KMSAN: kernel-infoleak in __skb_datagram_iter
> >
> > In tcf_ife_dump(), the variable 'opt' was partially initialized using a
> > designatied initializer. While the padding bytes are reamined
> > uninitialized. nla_put() copies the entire structure into a
> > netlink message, these uninitialized bytes leaked to userspace.
> >
> > Initialize the structure with memset before assigning its fields
> > to ensure all members and padding are cleared prior to beign copied.
> >
> > This change silences the KMSAN report and prevents potential information
> > leaks from the kernel memory.
> >
> > This fix has been tested and validated by syzbot. This patch closes the
> > bug reported at the following syzkaller link and ensures no infoleak.
> >
> > Reported-by: syzbot+0c85cae3350b7d486aee@...kaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=0c85cae3350b7d486aee
> > Tested-by: syzbot+0c85cae3350b7d486aee@...kaller.appspotmail.com
> > Fixes: ef6980b6becb ("introduce IFE action")
> > Signed-off-by: Ranganath V N <vnranganath.20@...il.com>
> > ---
> >  net/sched/act_ife.c | 12 +++++++-----
> >  1 file changed, 7 insertions(+), 5 deletions(-)
> >
> > diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
> > index 107c6d83dc5c..7c6975632fc2 100644
> > --- a/net/sched/act_ife.c
> > +++ b/net/sched/act_ife.c
> > @@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
> >       unsigned char *b = skb_tail_pointer(skb);
> >       struct tcf_ife_info *ife = to_ife(a);
> >       struct tcf_ife_params *p;
> > -     struct tc_ife opt = {
> > -             .index = ife->tcf_index,
> > -             .refcnt = refcount_read(&ife->tcf_refcnt) - ref,
> > -             .bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
> > -     };
> > +     struct tc_ife opt;
> >       struct tcf_t t;
> >
> > +     memset(&opt, 0, sizeof(opt));
> > +
> > +     opt.index = ife->tcf_index,
> > +     opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
> > +     opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
>
> Are you sure this is correct to delimit with commas instead of
> semicolons?
>
> This already causes build failures of 5.10.247-rt141 kernel, because
> their spin_lock_bh unrolls into do { .. } while (0):
>

Do you have access to this?
commit 205305c028ad986d0649b8b100bab6032dcd1bb5
Author: Chen Ni <nichen@...as.ac.cn>
Date:   Wed Nov 12 15:27:09 2025 +0800

    net/sched: act_ife: convert comma to semicolon

cheers,
jamal

>      CC [M]  net/sched/act_ife.o
>    In file included from ./include/linux/spinlock.h:329,
>                     from ./include/linux/mmzone.h:8,
>                     from ./include/linux/gfp.h:6,
>                     from ./include/linux/mm.h:10,
>                     from ./include/linux/bvec.h:14,
>                     from ./include/linux/skbuff.h:17,
>                     from net/sched/act_ife.c:20:
>    net/sched/act_ife.c: In function 'tcf_ife_dump':
>    ./include/linux/spinlock_rt.h:44:2: error: expected expression before 'do'
>       44 |  do {     \
>          |  ^~
>    net/sched/act_ife.c:655:2: note: in expansion of macro 'spin_lock_bh'
>      655 |  spin_lock_bh(&ife->tcf_lock);
>          |  ^~~~~~~~~~~~
>    make[2]: *** [scripts/Makefile.build:286: net/sched/act_ife.o] Error 1
>    make[2]: *** Waiting for unfinished jobs....
>
>
> Thanks,
>
> > +
> >       spin_lock_bh(&ife->tcf_lock);
> >       opt.action = ife->tcf_action;
> >       p = rcu_dereference_protected(ife->params,
> > --
> > 2.43.0
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ