tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'net-sched-initialize-struct-tc_ife-to-fix-kernel-infoleak'

Ranganath says:

====================
net: sched: initialize struct tc_ife to fix kernel-infoleak

This series addresses the uninitialization of the struct which has
2 bytes of padding. And copying this uninitialized data to userspace
can leak info from kernel memory.

This series ensures all members and padding are cleared prior to
begin copied.

This change silences the KMSAN report and prevents potential information
leaks from the kernel memory.

v3: https://lore.kernel.org/lkml/20251106195635.2438-1-vnranganath.20@gmail.com/#t
v2: https://lore.kernel.org/r/20251101-infoleak-v2-0-01a501d41c09@gmail.com
v1: https://lore.kernel.org/r/20251031-infoleak-v1-1-9f7250ee33aa@gmail.com

Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
====================

Link: https://patch.msgid.link/20251109091336.9277-1-vnranganath.20@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Paolo Abeni 02e9578c 60e6489f

+14 -10
+7 -5
net/sched/act_connmark.c
··· 195 195 const struct tcf_connmark_info *ci = to_connmark(a); 196 196 unsigned char *b = skb_tail_pointer(skb); 197 197 const struct tcf_connmark_parms *parms; 198 - struct tc_connmark opt = { 199 - .index = ci->tcf_index, 200 - .refcnt = refcount_read(&ci->tcf_refcnt) - ref, 201 - .bindcnt = atomic_read(&ci->tcf_bindcnt) - bind, 202 - }; 198 + struct tc_connmark opt; 203 199 struct tcf_t t; 200 + 201 + memset(&opt, 0, sizeof(opt)); 202 + 203 + opt.index = ci->tcf_index; 204 + opt.refcnt = refcount_read(&ci->tcf_refcnt) - ref; 205 + opt.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind; 204 206 205 207 rcu_read_lock(); 206 208 parms = rcu_dereference(ci->parms);
+7 -5
net/sched/act_ife.c
··· 644 644 unsigned char *b = skb_tail_pointer(skb); 645 645 struct tcf_ife_info *ife = to_ife(a); 646 646 struct tcf_ife_params *p; 647 - struct tc_ife opt = { 648 - .index = ife->tcf_index, 649 - .refcnt = refcount_read(&ife->tcf_refcnt) - ref, 650 - .bindcnt = atomic_read(&ife->tcf_bindcnt) - bind, 651 - }; 647 + struct tc_ife opt; 652 648 struct tcf_t t; 649 + 650 + memset(&opt, 0, sizeof(opt)); 651 + 652 + opt.index = ife->tcf_index, 653 + opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref, 654 + opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind, 653 655 654 656 spin_lock_bh(&ife->tcf_lock); 655 657 opt.action = ife->tcf_action;