tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: Explicitly memset the bpf_attr structure

For the bpf syscall, we are relying on the compiler to properly zero out
the bpf_attr union that we copy userspace data into. Unfortunately that
doesn't always work properly, padding and other oddities might not be
correctly zeroed, and in some tests odd things have been found when the
stack is pre-initialized to other values.

Fix this by explicitly memsetting the structure to 0 before using it.

Reported-by: Maciej Żenczykowski <maze@google.com>
Reported-by: John Stultz <john.stultz@linaro.org>
Reported-by: Alexander Potapenko <glider@google.com>
Reported-by: Alistair Delva <adelva@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://android-review.googlesource.com/c/kernel/common/+/1235490
Link: https://lore.kernel.org/bpf/20200320094813.GA421650@kroah.com

authored by

Greg Kroah-Hartman and committed by
Daniel Borkmann 8096f229 8e7ae251

+2 -1
+2 -1
kernel/bpf/syscall.c
··· 3362 3362 3363 3363 SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size) 3364 3364 { 3365 - union bpf_attr attr = {}; 3365 + union bpf_attr attr; 3366 3366 int err; 3367 3367 3368 3368 if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) ··· 3374 3374 size = min_t(u32, size, sizeof(attr)); 3375 3375 3376 3376 /* copy attributes from user space, may be less than sizeof(bpf_attr) */ 3377 + memset(&attr, 0, sizeof(attr)); 3377 3378 if (copy_from_user(&attr, uattr, size) != 0) 3378 3379 return -EFAULT; 3379 3380