Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-03-21 13:10:53 +0100
committerDenis Kirjanov <dkirjanov@suse.com>2019-03-21 13:10:53 +0100
commit868559edaa42fc135a89271f0899ffbfc385da76 (patch)
treee9278aae2a204be7668ded8fec58961eed5070cb
parent4e8b58b7c56da1c4c6441a858e78efd7ee4a6e1b (diff)
l2tp: fix infoleak in l2tp_ip6_recvmsg() (git-fixes).
-rw-r--r--patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch81
-rw-r--r--series.conf1
2 files changed, 82 insertions, 0 deletions
diff --git a/patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch b/patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch
new file mode 100644
index 0000000000..56e2c40645
--- /dev/null
+++ b/patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch
@@ -0,0 +1,81 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: l2tp: fix infoleak in l2tp_ip6_recvmsg()
+Patch-mainline: v5.1-rc1
+Git-commit: 163d1c3d6f17556ed3c340d3789ea93be95d6c28
+References: git-fixes
+
+Back in 2013 Hannes took care of most of such leaks in commit
+bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
+
+But the bug in l2tp_ip6_recvmsg() has not been fixed.
+
+syzbot report :
+
+BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x173/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
+ kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
+ kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
+ _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ copy_to_user include/linux/uaccess.h:174 [inline]
+ move_addr_to_user+0x311/0x570 net/socket.c:227
+ ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
+ do_recvmmsg+0x646/0x10c0 net/socket.c:2390
+ __sys_recvmmsg net/socket.c:2469 [inline]
+ __do_sys_recvmmsg net/socket.c:2492 [inline]
+ __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
+ __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x445819
+
+Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
+RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
+RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
+R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf
+
+Local variable description: ----addr@___sys_recvmsg
+Variable was created at:
+ ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
+ do_recvmmsg+0x646/0x10c0 net/socket.c:2390
+
+Bytes 0-31 of 32 are uninitialized
+Memory access of size 32 starts at ffff8880ae62fbb0
+Data copied to user address 0000000020000000
+
+Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ip6.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -680,9 +680,6 @@ static int l2tp_ip6_recvmsg(struct sock
+ if (flags & MSG_OOB)
+ goto out;
+
+- if (addr_len)
+- *addr_len = sizeof(*lsa);
+-
+ if (flags & MSG_ERRQUEUE)
+ return ipv6_recv_error(sk, msg, len, addr_len);
+
+@@ -712,6 +709,7 @@ static int l2tp_ip6_recvmsg(struct sock
+ lsa->l2tp_conn_id = 0;
+ if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
+ lsa->l2tp_scope_id = inet6_iif(skb);
++ *addr_len = sizeof(*lsa);
+ }
+
+ if (np->rxopt.all)
diff --git a/series.conf b/series.conf
index 39f4e7cf2f..47fa6c8f40 100644
--- a/series.conf
+++ b/series.conf
@@ -20950,6 +20950,7 @@
patches.fixes/0001-net-mlx4_core-Fix-reset-flow-when-in-command-polling.patch
patches.fixes/0001-net-mlx4_core-Fix-locking-in-SRIOV-mode-when-switchi.patch
patches.fixes/0001-net-mlx4_core-Fix-qp-mtt-size-calculation.patch
+ patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch
patches.fixes/0001-pptp-dst_release-sk_dst_cache-in-pptp_sock_destruct.patch
patches.fixes/ACPI-device_sysfs-Avoid-OF-modalias-creation-for-rem.patch
patches.drm/0001-drm-etnaviv-NULL-vs-IS_ERR-buf-in-etnaviv_core_dump.patch