Skip to main content

Browse the archive

Revision 633593a808980f82d251d0ca89730d8bb8b0220c authored by Eric Dumazet on 10 March 2022, 00:11:45 UTC, committed by Jakub Kicinski on 10 March 2022, 22:46:42 UTC 
sctp: fix kernel-infoleak for SCTP sockets
 
syzbot reported a kernel infoleak [1] of 4 bytes.

After analysis, it turned out r->idiag_expires is not initialized
if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()

Make sure to clear idiag_timer/idiag_retrans/idiag_expires
and let inet_diag_msg_sctpasoc_fill() fill them again if needed.

[1]

BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
 instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 copyout lib/iov_iter.c:154 [inline]
 _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
 copy_to_iter include/linux/uio.h:162 [inline]
 simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
 __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425
 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
 skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]
 netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977
 sock_recvmsg_nosec net/socket.c:948 [inline]
 sock_recvmsg net/socket.c:966 [inline]
 __sys_recvfrom+0x795/0xa10 net/socket.c:2097
 __do_sys_recvfrom net/socket.c:2115 [inline]
 __se_sys_recvfrom net/socket.c:2111 [inline]
 __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:737 [inline]
 slab_alloc_node mm/slub.c:3247 [inline]
 __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
 alloc_skb include/linux/skbuff.h:1158 [inline]
 netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248
 __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373
 netlink_dump_start include/linux/netlink.h:254 [inline]
 inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341
 sock_diag_rcv_msg+0x24a/0x620
 netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494
 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg net/socket.c:725 [inline]
 sock_write_iter+0x594/0x690 net/socket.c:1061
 do_iter_readv_writev+0xa7f/0xc70
 do_iter_write+0x52c/0x1500 fs/read_write.c:851
 vfs_writev fs/read_write.c:924 [inline]
 do_writev+0x645/0xe00 fs/read_write.c:967
 __do_sys_writev fs/read_write.c:1040 [inline]
 __se_sys_writev fs/read_write.c:1037 [inline]
 __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Bytes 68-71 of 2508 are uninitialized
Memory access of size 2508 starts at ffff888114f9b000
Data copied to user address 00007f7fe09ff2e0

CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/20220310001145.297371-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent 26183cf
Raw File
cleanpatch 
#!/usr/bin/env perl
# SPDX-License-Identifier: GPL-2.0
#
# Clean a patch file -- or directory of patch files -- of stealth whitespace.
# WARNING: this can be a highly destructive operation.  Use with caution.
#

use warnings;
use bytes;
use File::Basename;

# Default options
$max_width = 79;

# Clean up space-tab sequences, either by removing spaces or
# replacing them with tabs.
sub clean_space_tabs($)
{
    no bytes;			# Tab alignment depends on characters

    my($li) = @_;
    my($lo) = '';
    my $pos = 0;
    my $nsp = 0;
    my($i, $c);

    for ($i = 0; $i < length($li); $i++) {
	$c = substr($li, $i, 1);
	if ($c eq "\t") {
	    my $npos = ($pos+$nsp+8) & ~7;
	    my $ntab = ($npos >> 3) - ($pos >> 3);
	    $lo .= "\t" x $ntab;
	    $pos = $npos;
	    $nsp = 0;
	} elsif ($c eq "\n" || $c eq "\r") {
	    $lo .= " " x $nsp;
	    $pos += $nsp;
	    $nsp = 0;
	    $lo .= $c;
	    $pos = 0;
	} elsif ($c eq " ") {
	    $nsp++;
	} else {
	    $lo .= " " x $nsp;
	    $pos += $nsp;
	    $nsp = 0;
	    $lo .= $c;
	    $pos++;
	}
    }
    $lo .= " " x $nsp;
    return $lo;
}

# Compute the visual width of a string
sub strwidth($) {
    no bytes;			# Tab alignment depends on characters

    my($li) = @_;
    my($c, $i);
    my $pos = 0;
    my $mlen = 0;

    for ($i = 0; $i < length($li); $i++) {
	$c = substr($li,$i,1);
	if ($c eq "\t") {
	    $pos = ($pos+8) & ~7;
	} elsif ($c eq "\n") {
	    $mlen = $pos if ($pos > $mlen);
	    $pos = 0;
	} else {
	    $pos++;
	}
    }

    $mlen = $pos if ($pos > $mlen);
    return $mlen;
}

$name = basename($0);

@files = ();

while (defined($a = shift(@ARGV))) {
    if ($a =~ /^-/) {
	if ($a eq '-width' || $a eq '-w') {
	    $max_width = shift(@ARGV)+0;
	} else {
	    print STDERR "Usage: $name [-width #] files...\n";
	    exit 1;
	}
    } else {
	push(@files, $a);
    }
}

foreach $f ( @files ) {
    print STDERR "$name: $f\n";

    if (! -f $f) {
	print STDERR "$f: not a file\n";
	next;
    }

    if (!open(FILE, '+<', $f)) {
	print STDERR "$name: Cannot open file: $f: $!\n";
	next;
    }

    binmode FILE;

    # First, verify that it is not a binary file; consider any file
    # with a zero byte to be a binary file.  Is there any better, or
    # additional, heuristic that should be applied?
    $is_binary = 0;

    while (read(FILE, $data, 65536) > 0) {
	if ($data =~ /\0/) {
	    $is_binary = 1;
	    last;
	}
    }

    if ($is_binary) {
	print STDERR "$name: $f: binary file\n";
	next;
    }

    seek(FILE, 0, 0);

    $in_bytes = 0;
    $out_bytes = 0;
    $lineno = 0;

    @lines  = ();

    $in_hunk = 0;
    $err = 0;

    while ( defined($line = <FILE>) ) {
	$lineno++;
	$in_bytes += length($line);

	if (!$in_hunk) {
	    if ($line =~
		/^\@\@\s+\-([0-9]+),([0-9]+)\s+\+([0-9]+),([0-9]+)\s\@\@/) {
		$minus_lines = $2;
		$plus_lines = $4;
		if ($minus_lines || $plus_lines) {
		    $in_hunk = 1;
		    @hunk_lines = ($line);
		}
	    } else {
		push(@lines, $line);
		$out_bytes += length($line);
	    }
	} else {
	    # We're in a hunk

	    if ($line =~ /^\+/) {
		$plus_lines--;

		$text = substr($line, 1);
		$text =~ s/[ \t\r]*$//;		# Remove trailing spaces
		$text = clean_space_tabs($text);

		$l_width = strwidth($text);
		if ($max_width && $l_width > $max_width) {
		    print STDERR
			"$f:$lineno: adds line exceeds $max_width ",
			"characters ($l_width)\n";
		}

		push(@hunk_lines, '+'.$text);
	    } elsif ($line =~ /^\-/) {
		$minus_lines--;
		push(@hunk_lines, $line);
	    } elsif ($line =~ /^ /) {
		$plus_lines--;
		$minus_lines--;
		push(@hunk_lines, $line);
	    } else {
		print STDERR "$name: $f: malformed patch\n";
		$err = 1;
		last;
	    }

	    if ($plus_lines < 0 || $minus_lines < 0) {
		print STDERR "$name: $f: malformed patch\n";
		$err = 1;
		last;
	    } elsif ($plus_lines == 0 && $minus_lines == 0) {
		# End of a hunk.  Process this hunk.
		my $i;
		my $l;
		my @h = ();
		my $adj = 0;
		my $done = 0;

		for ($i = scalar(@hunk_lines)-1; $i > 0; $i--) {
		    $l = $hunk_lines[$i];
		    if (!$done && $l eq "+\n") {
			$adj++; # Skip this line
		    } elsif ($l =~ /^[ +]/) {
			$done = 1;
			unshift(@h, $l);
		    } else {
			unshift(@h, $l);
		    }
		}

		$l = $hunk_lines[0];  # Hunk header
		undef @hunk_lines;    # Free memory

		if ($adj) {
		    die unless
			($l =~ /^\@\@\s+\-([0-9]+),([0-9]+)\s+\+([0-9]+),([0-9]+)\s\@\@(.*)$/);
		    my $mstart = $1;
		    my $mlin = $2;
		    my $pstart = $3;
		    my $plin = $4;
		    my $tail = $5; # doesn't include the final newline

		    $l = sprintf("@@ -%d,%d +%d,%d @@%s\n",
				 $mstart, $mlin, $pstart, $plin-$adj,
				 $tail);
		}
		unshift(@h, $l);

		# Transfer to the output array
		foreach $l (@h) {
		    $out_bytes += length($l);
		    push(@lines, $l);
		}

		$in_hunk = 0;
	    }
	}
    }

    if ($in_hunk) {
	print STDERR "$name: $f: malformed patch\n";
	$err = 1;
    }

    if (!$err) {
	if ($in_bytes != $out_bytes) {
	    # Only write to the file if changed
	    seek(FILE, 0, 0);
	    print FILE @lines;

	    if ( !defined($where = tell(FILE)) ||
		 !truncate(FILE, $where) ) {
		die "$name: Failed to truncate modified file: $f: $!\n";
	    }
	}
    }

    close(FILE);
}
back to top