AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
1b97013bfb
kernel_optimize_test/net/tipc
History
Eric Dumazet 09c8b9718a tipc: fix one byte leak in tipc_sk_set_orig_addr() 
sysbot/KMSAN reported an uninit-value in recvmsg() that
I tracked down to tipc_sk_set_orig_addr(), missing
srcaddr->member.scope initialization.

This patches moves srcaddr->sock.scope init to follow
fields order and ease future verifications.

BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline]
BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:226
CPU: 0 PID: 4549 Comm: syz-executor287 Not tainted 4.17.0-rc3+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 kmsan_internal_check_memory+0x135/0x1e0 mm/kmsan/kmsan.c:1157
 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
 copy_to_user include/linux/uaccess.h:184 [inline]
 move_addr_to_user+0x32e/0x530 net/socket.c:226
 ___sys_recvmsg+0x4e2/0x810 net/socket.c:2285
 __sys_recvmsg net/socket.c:2328 [inline]
 __do_sys_recvmsg net/socket.c:2338 [inline]
 __se_sys_recvmsg net/socket.c:2335 [inline]
 __x64_sys_recvmsg+0x325/0x460 net/socket.c:2335
 do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4455e9
RSP: 002b:00007fe3bd36ddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 00000000004455e9
RDX: 0000000000002002 RSI: 0000000020000400 RDI: 0000000000000003
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff98ce4b6f R14: 00007fe3bd36e9c0 R15: 0000000000000003

Local variable description: ----addr@___sys_recvmsg
Variable was created at:
 ___sys_recvmsg+0xd5/0x810 net/socket.c:2246
 __sys_recvmsg net/socket.c:2328 [inline]
 __do_sys_recvmsg net/socket.c:2338 [inline]
 __se_sys_recvmsg net/socket.c:2335 [inline]
 __x64_sys_recvmsg+0x325/0x460 net/socket.c:2335

Byte 19 of 32 is uninitialized

Fixes: 31c82a2d9d ("tipc: add second source address to recvmsg()/recvfrom()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-10 17:28:39 -04:00
..
addr.c
addr.h
bcast.c
bcast.h
bearer.c
bearer.h
core.c
core.h
diag.c tipc: use the right skb in tipc_sk_fill_sock_diag() 2018-04-08 12:34:29 -04:00
discover.c
discover.h
eth_media.c
group.c
group.h
ib_media.c
Kconfig
link.c tipc: avoid possible string overflow 2018-03-31 22:19:52 -04:00
link.h
Makefile
monitor.c tipc: fix infinite loop when dumping link monitor summary 2018-04-18 13:48:43 -04:00
monitor.h
msg.c
msg.h
name_distr.c tipc: permit overlapping service ranges in name table 2018-03-31 22:19:52 -04:00
name_distr.h tipc: permit overlapping service ranges in name table 2018-03-31 22:19:52 -04:00
name_table.c tipc: fix use-after-free in tipc_nametbl_stop 2018-04-18 13:48:43 -04:00
name_table.h tipc: fix unbalanced reference counter 2018-04-12 21:46:10 -04:00
net.c tipc: fix possible crash in __tipc_nl_net_set() 2018-04-16 18:08:18 -04:00
net.h
netlink_compat.c
netlink.c tipc: fix possible crash in __tipc_nl_net_set() 2018-04-16 18:08:18 -04:00
netlink.h
node.c tipc: eliminate KMSAN uninit-value in strcmp complaint 2018-05-10 08:25:13 -04:00
node.h
socket.c tipc: fix one byte leak in tipc_sk_set_orig_addr() 2018-05-10 17:28:39 -04:00
socket.h tipc: use the right skb in tipc_sk_fill_sock_diag() 2018-04-08 12:34:29 -04:00
subscr.c tipc: fix unbalanced reference counter 2018-04-12 21:46:10 -04:00
subscr.h
sysctl.c
topsrv.c
topsrv.h
udp_media.c
udp_media.h