Commit 02e9578c authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge branch 'net-sched-initialize-struct-tc_ife-to-fix-kernel-infoleak' 

Ranganath says:

====================
net: sched: initialize struct tc_ife to fix kernel-infoleak

This series addresses the uninitialization of the struct which has
2 bytes of padding. And copying this uninitialized data to userspace
can leak info from kernel memory.

This series ensures all members and padding are cleared prior to
begin copied.

This change silences the KMSAN report and prevents potential information
leaks from the kernel memory.

v3: https://lore.kernel.org/lkml/20251106195635.2438-1-vnranganath.20@gmail.com/#t
v2: https://lore.kernel.org/r/20251101-infoleak-v2-0-01a501d41c09@gmail.com
v1: https://lore.kernel.org/r/20251031-infoleak-v1-1-9f7250ee33aa@gmail.com



Signed-off-by: default avatarRanganath V N <vnranganath.20@gmail.com>
Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
====================

Link: https://patch.msgid.link/20251109091336.9277-1-vnranganath.20@gmail.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents 60e6489f ce50039b

net/sched/act_connmark.c

+7 −5
Original line number Diff line number Diff line
@@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a, 
	const struct tcf_connmark_info *ci = to_connmark(a);

	unsigned char *b = skb_tail_pointer(skb);

	const struct tcf_connmark_parms *parms;

	struct tc_connmark opt = {

		.index   = ci->tcf_index,

		.refcnt  = refcount_read(&ci->tcf_refcnt) - ref,

		.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind,

	};

	struct tc_connmark opt;

	struct tcf_t t;



	memset(&opt, 0, sizeof(opt));



	opt.index   = ci->tcf_index;

	opt.refcnt  = refcount_read(&ci->tcf_refcnt) - ref;

	opt.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;



	rcu_read_lock();

	parms = rcu_dereference(ci->parms);

net/sched/act_ife.c

+7 −5
Original line number Diff line number Diff line
@@ -644,13 +644,15 @@ static int tcf_ife_dump(struct sk_buff *skb, struct tc_action *a, int bind, 
	unsigned char *b = skb_tail_pointer(skb);

	struct tcf_ife_info *ife = to_ife(a);

	struct tcf_ife_params *p;

	struct tc_ife opt = {

		.index = ife->tcf_index,

		.refcnt = refcount_read(&ife->tcf_refcnt) - ref,

		.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,

	};

	struct tc_ife opt;

	struct tcf_t t;



	memset(&opt, 0, sizeof(opt));



	opt.index = ife->tcf_index,

	opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref,

	opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,



	spin_lock_bh(&ife->tcf_lock);

	opt.action = ife->tcf_action;

	p = rcu_dereference_protected(ife->params,