net: sched: act_connmark: initialize struct tc_ife to fix kernel leak

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In tcf_connmark_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.

Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.

Reported-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0c85cae3350b7d486aee
Tested-by: syzbot+0c85cae3350b7d486aee@syzkaller.appspotmail.com
Fixes: 22a5dc0e5e3e ("net: sched: Introduce connmark action")
Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251109091336.9277-2-vnranganath.20@gmail.com
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

authored by

Ranganath V N and committed by

Paolo Abeni 4 months ago 62b656e4 60e6489f

+7 -5

1 changed file

expand all

net

sched

act_connmark.c

+7 -5

net/sched/act_connmark.c

··· 195 195 const struct tcf_connmark_info *ci = to_connmark(a); 196 196 unsigned char *b = skb_tail_pointer(skb); 197 197 const struct tcf_connmark_parms *parms; 198 - struct tc_connmark opt = { 199 - .index = ci->tcf_index, 200 - .refcnt = refcount_read(&ci->tcf_refcnt) - ref, 201 - .bindcnt = atomic_read(&ci->tcf_bindcnt) - bind, 202 - }; 198 + struct tc_connmark opt; 203 199 struct tcf_t t; 200 + 201 + memset(&opt, 0, sizeof(opt)); 202 + 203 + opt.index = ci->tcf_index; 204 + opt.refcnt = refcount_read(&ci->tcf_refcnt) - ref; 205 + opt.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind; 204 206 205 207 rcu_read_lock(); 206 208 parms = rcu_dereference(ci->parms);