Commit e6e3eb5e authored Mar 29, 2026 by Yochai Eisenrich Committed by Jakub Kicinski Mar 30, 2026

net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak



When building netlink messages, tc_chain_fill_node() never initializes
the tcm_info field of struct tcmsg. Since the allocation is not zeroed,
kernel heap memory is leaked to userspace through this 4-byte field.

The fix simply zeroes tcm_info alongside the other fields that are
already initialized.

Fixes: 32a4f5ec ("net: sched: introduce chain object to uapi")
Signed-off-by: Yochai Eisenrich <echelonh@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260328211436.1010152-1-echelonh@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent ddc748a3

net/sched/cls_api.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -2969,6 +2969,7 @@ static int tc_chain_fill_node(const struct tcf_proto_ops *tmplt_ops,
		tcm->tcm__pad1 = 0;
		tcm->tcm__pad2 = 0;
		tcm->tcm_handle = 0;
		tcm->tcm_info = 0;
		if (block->q) {
		tcm->tcm_ifindex = qdisc_dev(block->q)->ifindex;
		tcm->tcm_parent = block->q->handle;