raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 01:49:46 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'net-sched-initialize-struct-tc_ife-to-fix-kernel-infoleak'

Browse Source 
Ranganath says:

====================
net: sched: initialize struct tc_ife to fix kernel-infoleak

This series addresses the uninitialization of the struct which has
2 bytes of padding. And copying this uninitialized data to userspace
can leak info from kernel memory.

This series ensures all members and padding are cleared prior to
begin copied.

This change silences the KMSAN report and prevents potential information
leaks from the kernel memory.

v3: https://lore.kernel.org/lkml/20251106195635.2438-1-vnranganath.20@gmail.com/#t
v2: https://lore.kernel.org/r/20251101-infoleak-v2-0-01a501d41c09@gmail.com
v1: https://lore.kernel.org/r/20251031-infoleak-v1-1-9f7250ee33aa@gmail.com

Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
====================

Link: https://patch.msgid.link/20251109091336.9277-1-vnranganath.20@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
Paolo Abeni
2025-11-11 15:00:10 +01:00
parent 60e6489f8e ce50039be4
commit 02e9578c3e
2 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
net/sched/act_connmark.c
View File

@@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
const struct tcf_connmark_info *ci = to_connmark(a);
unsigned char *b = skb_tail_pointer(skb);
const struct tcf_connmark_parms *parms;
struct tc_connmark opt = {
.index = ci->tcf_index,
.refcnt = refcount_read(&ci->tcf_refcnt) - ref,
.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind,
};
struct tc_connmark opt;
struct tcf_t t;
memset(&opt, 0, sizeof(opt));
opt.index = ci->tcf_index;
opt.refcnt = refcount_read(&ci->tcf_refcnt) - ref;
opt.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;
rcu_read_lock();
parms = rcu_dereference(ci->parms);

12
net/sched/act_ife.c
View File

@@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind,
unsigned char *b = skb_tail_pointer(skb);
struct tcf_ife_info *ife = to_ife(a);
struct tcf_ife_params *p;
struct tc_ife opt = {
.index = ife->tcf_index,
.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
};
struct tc_ife opt;
struct tcf_t t;
memset(&opt, 0, sizeof(opt));
opt.index = ife->tcf_index,
opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
spin_lock_bh(&ife->tcf_lock);
opt.action = ife->tcf_action;
p = rcu_dereference_protected(ife->params,