lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260116112522.159480-4-p@1g4.org>
Date: Fri, 16 Jan 2026 11:26:08 +0000
From: Paul Moses <p@....org>
To: netdev@...r.kernel.org
Cc: Paul Moses <p@....org>, stable@...r.kernel.org
Subject: [PATCH net v1 3/3] net/sched: act_gate: zero-initialize netlink dump struct

Zero-initialize the tc_gate dump struct to avoid leaking padding bytes
to userspace. Without clearing the struct, uninitialized stack padding
can be copied into the netlink reply during action dumps.

Fixes: a51c328df310 ("net: qos: introduce a gate control flow action")
Cc: stable@...r.kernel.org
Signed-off-by: Paul Moses <p@....org>
---
 net/sched/act_gate.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/net/sched/act_gate.c b/net/sched/act_gate.c
index 6934df233df5e..043ad856361d7 100644
--- a/net/sched/act_gate.c
+++ b/net/sched/act_gate.c
@@ -644,19 +644,18 @@ static int dumping_entry(struct sk_buff *skb,
 static int tcf_gate_dump(struct sk_buff *skb, struct tc_action *a,
 			 int bind, int ref)
 {
-	unsigned char *b = skb_tail_pointer(skb);
 	struct tcf_gate *gact = to_gate(a);
-	struct tc_gate opt = {
-		.index    = gact->tcf_index,
-		.refcnt   = refcount_read(&gact->tcf_refcnt) - ref,
-		.bindcnt  = atomic_read(&gact->tcf_bindcnt) - bind,
-	};
 	struct tcfg_gate_entry *entry;
 	struct tcf_gate_params *p;
 	struct nlattr *entry_list;
+	struct tc_gate opt = { };
 	struct tcf_t t;
+	unsigned char *b = skb_tail_pointer(skb);
 
 	spin_lock_bh(&gact->tcf_lock);
+	opt.index    = gact->tcf_index;
+	opt.refcnt   = refcount_read(&gact->tcf_refcnt) - ref;
+	opt.bindcnt  = atomic_read(&gact->tcf_bindcnt) - bind;
 	opt.action = gact->tcf_action;
 
 	p = rcu_dereference_protected(gact->param,
-- 
2.52.GIT

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ