Commit bddc0921 authored May 20, 2026 by Weiming Shi Committed by Jakub Kicinski May 21, 2026

tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR



In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an
uninitialised on-stack struct sockaddr_storage to userspace via
ifr_hwaddr, but netif_get_mac_address() only writes sa_family and
dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised.

Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a
macvtap chardev returns kernel .text and direct-map pointers, defeating
KASLR.

Initialise ss at declaration.

Fixes: 3b23a32a ("net: fix dev_ifsioc_locked() race condition")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260520075736.3415676-3-bestswngs@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 2bccfb84

drivers/net/tap.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -919,11 +919,11 @@ static long tap_ioctl(struct file *file, unsigned int cmd,
		struct tap_queue *q = file->private_data;
		struct tap_dev *tap;
		void __user argp = (void __user )arg;
		struct sockaddr_storage ss = {};
		struct ifreq __user *ifr = argp;
		unsigned int __user *up = argp;
		unsigned short u;
		int __user *sp = argp;
		struct sockaddr_storage ss;
		int s;
		int ret;