• Eric Dumazet's avatar
    l2tp: fix infoleak in l2tp_ip6_recvmsg() · 7a2ccbda
    Eric Dumazet authored
    BugLink: https://bugs.launchpad.net/bugs/1822271
    
    [ Upstream commit 163d1c3d ]
    
    Back in 2013 Hannes took care of most of such leaks in commit
    bceaa902 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
    
    But the bug in l2tp_ip6_recvmsg() has not been fixed.
    
    syzbot report :
    
    BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
    CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x173/0x1d0 lib/dump_stack.c:113
     kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
     kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
     kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
     _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
     copy_to_user include/linux/uaccess.h:174 [inline]
     move_addr_to_user+0x311/0x570 net/socket.c:227
     ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
     do_recvmmsg+0x646/0x10c0 net/socket.c:2390
     __sys_recvmmsg net/socket.c:2469 [inline]
     __do_sys_recvmmsg net/socket.c:2492 [inline]
     __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
     __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
     do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
     entry_SYSCALL_64_after_hwframe+0x63/0xe7
    RIP: 0033:0x445819
    Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
    RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
    RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
    RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
    R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf
    
    Local variable description: ----addr@___sys_recvmsg
    Variable was created at:
     ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
     do_recvmmsg+0x646/0x10c0 net/socket.c:2390
    
    Bytes 0-31 of 32 are uninitialized
    Memory access of size 32 starts at ffff8880ae62fbb0
    Data copied to user address 0000000020000000
    
    Fixes: a32e0eec ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
    Acked-by: default avatarJuerg Haefliger <juerg.haefliger@canonical.com>
    Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
    7a2ccbda
l2tp_ip6.c 19.6 KB