iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet a795edbd6c l2tp: fix infoleak in l2tp_ip6_recvmsg() 
[ Upstream commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 ]

Back in 2013 Hannes took care of most of such leaks in commit
bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")

But the bug in l2tp_ip6_recvmsg() has not been fixed.

syzbot report :

BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
 kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
 copy_to_user include/linux/uaccess.h:174 [inline]
 move_addr_to_user+0x311/0x570 net/socket.c:227
 ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
 do_recvmmsg+0x646/0x10c0 net/socket.c:2390
 __sys_recvmmsg net/socket.c:2469 [inline]
 __do_sys_recvmmsg net/socket.c:2492 [inline]
 __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
 __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x445819
Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf

Local variable description: ----addr@___sys_recvmsg
Variable was created at:
 ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
 do_recvmmsg+0x646/0x10c0 net/socket.c:2390

Bytes 0-31 of 32 are uninitialized
Memory access of size 32 starts at ffff8880ae62fbb0
Data copied to user address 0000000020000000

Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:29 +01:00
..
6lowpan
6lowpan: iphc: reset mac_header after decompress to fix panic
2018-10-10 08:52:04 +02:00
9p
9p/net: put a lower bound on msize
2019-01-13 10:05:33 +01:00
802
8021q
vlan: also check phy_driver ts_info for vlan's real device
2018-04-13 19:50:25 +02:00
appletalk
atm
net: atm: Fix potential Spectre v1
2018-05-16 10:06:51 +02:00
ax25
ax25: fix possible use-after-free
2019-02-23 09:05:14 +01:00
batman-adv
batman-adv: fix uninit-value in batadv_interface_tx()
2019-03-23 08:44:17 +01:00
bluetooth
Bluetooth: Fix unnecessary error message for HCI request completion
2019-02-20 10:13:10 +01:00
bridge
netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES
2019-03-23 08:44:29 +01:00
caif
net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
2018-09-05 09:18:34 +02:00
can
can: bcm: check timer values before ktime conversion
2019-02-06 19:43:04 +01:00
ceph
libceph: handle an empty authorize reply
2019-03-23 08:44:18 +01:00
core
net-sysfs: Fix mem leak in netdev_register_kobject
2019-03-23 08:44:22 +01:00
dcb
net: dcb: For wild-card lookups, use priority -1, not 0
2018-09-19 22:48:58 +02:00
dccp
dccp: fool proof ccid_hc_[rt]x_parse_options()
2019-02-20 10:13:15 +01:00
decnet
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
2018-02-25 11:03:38 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:25:54 +02:00
dsa
net: dsa: slave: Don't propagate flag changes on down slave interfaces
2019-02-20 10:13:15 +01:00
ethernet
net: introduce device min_header_len
2017-02-18 16:39:27 +01:00
hsr
net/hsr: fix a warning message
2015-11-23 14:56:15 -05:00
ieee802154
inet: frags: fix ip6frag_low_thresh boundary
2019-02-08 11:25:32 +01:00
ipv4
netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES
2019-03-23 08:44:29 +01:00
ipv6
netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES
2019-03-23 08:44:29 +01:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 14:30:13 +02:00
irda
irda: Only insert new objects into the global database via setsockopt
2018-09-15 09:40:40 +02:00
iucv
af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers
2018-11-10 07:41:35 -08:00
key
af_key: Always verify length of provided sadb_key
2018-06-16 09:54:25 +02:00
l2tp
l2tp: fix infoleak in l2tp_ip6_recvmsg()
2019-03-23 08:44:29 +01:00
l3mdev
net: Add netif_is_l3_slave
2015-10-07 04:27:43 -07:00
lapb
llc
llc: do not use sk_eat_skb()
2018-12-01 09:46:34 +01:00
mac80211
mac80211: don't initiate TDLS connection if station is not associated to AP
2019-03-23 08:44:20 +01:00
mac802154
net: mac802154: tx: expand tailroom if necessary
2018-09-09 20:04:32 +02:00
mpls
mpls, nospec: Sanitize array index in mpls_label_ok()
2018-03-11 16:19:47 +01:00
netfilter
netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options
2019-03-23 08:44:29 +01:00
netlabel
netlabel: check for IPV4MASK in addrinfo_get
2018-10-20 09:52:36 +02:00
netlink
netlink: Don't shift on 64 for ngroups
2018-08-09 12:19:28 +02:00
netrom
netrom: switch to sock timer API
2019-02-06 19:43:06 +01:00
nfc
net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
2019-03-23 08:44:22 +01:00
openvswitch
openvswitch: Avoid OOB read when parsing flow nlattrs
2019-02-06 19:43:03 +01:00
packet
net/packet: fix 4gb buffer limit due to overflow check
2019-03-23 08:44:17 +01:00
phonet
phonet: properly unshare skbs in phonet_rcv()
2016-01-31 11:29:00 -08:00
rds
rds: avoid unenecessary cong_update in loop transport
2018-07-22 14:25:54 +02:00
rfkill
rfkill: gpio: fix memory leak in probe error path
2018-05-16 10:06:51 +02:00
rose
net/rose: fix NULL ax25_cb kernel panic
2019-02-06 19:43:06 +01:00
rxrpc
rxrpc: check return value of skb_to_sgvec always
2018-04-13 19:50:23 +02:00
sched
net_sched: refetch skb protocol for each filter
2019-02-06 19:43:03 +01:00
sctp
sctp: allocate sctp_sockaddr_entry with kzalloc
2019-01-26 09:42:51 +01:00
sunrpc
sunrpc: handle ENOMEM in rpcb_getport_async
2019-01-26 09:42:51 +01:00
switchdev
switchdev: pass pointer to fib_info instead of copy
2016-06-24 10:18:16 -07:00
tipc
tipc: use destination length for copy string
2019-02-20 10:13:14 +01:00
unix
net: drop write-only stack variable
2018-11-10 07:41:34 -08:00
vmw_vsock
vsock: cope with memory allocation failure at socket creation time
2019-02-23 09:05:13 +01:00
wimax
net:wimax: Fix doucble word "the the" in networking.xml
2015-08-09 22:43:52 -07:00
wireless
cfg80211: extend range deviation for DMG
2019-03-23 08:44:20 +01:00
x25
net/x25: do not hold the cpu too long in x25_new_lci()
2019-02-23 09:05:14 +01:00
xfrm
xfrm: refine validation of template and selector families
2019-02-20 10:13:20 +01:00
compat.c
sock: Make sock->sk_stamp thread-safe
2019-01-13 10:05:28 +01:00
Kconfig
Make DST_CACHE a silent config option
2018-02-25 11:03:37 +01:00
Makefile
net: Introduce L3 Master device abstraction
2015-09-29 20:40:32 -07:00
socket.c
sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names
2019-03-23 08:44:21 +01:00
sysctl_net.c
net: Use ns_capable_noaudit() when determining net sysctl permissions
2016-09-15 08:27:50 +02:00