Acked-by: Jon Maloy <jon.ma...@ericsson.com> Thank you Eric.
> -----Original Message----- > From: Eric Dumazet [mailto:eduma...@google.com] > Sent: Wednesday, May 09, 2018 09:50 > To: David S . Miller <da...@davemloft.net> > Cc: netdev <netdev@vger.kernel.org>; Eric Dumazet > <eduma...@google.com>; Eric Dumazet <eric.duma...@gmail.com>; Jon > Maloy <jon.ma...@ericsson.com>; Ying Xue <ying....@windriver.com> > Subject: [PATCH net] tipc: fix one byte leak in tipc_sk_set_orig_addr() > > sysbot/KMSAN reported an uninit-value in recvmsg() that I tracked down to > tipc_sk_set_orig_addr(), missing > srcaddr->member.scope initialization. > > This patches moves srcaddr->sock.scope init to follow fields order and ease > future verifications. > > BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 > [inline] > BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 > net/socket.c:226 > CPU: 0 PID: 4549 Comm: syz-executor287 Not tainted 4.17.0-rc3+ #88 > Hardware name: Google Google Compute Engine/Google Compute Engine, > BIOS Google 01/01/2011 Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x185/0x1d0 lib/dump_stack.c:113 > kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 > kmsan_internal_check_memory+0x135/0x1e0 mm/kmsan/kmsan.c:1157 > kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 copy_to_user > include/linux/uaccess.h:184 [inline] > move_addr_to_user+0x32e/0x530 net/socket.c:226 > ___sys_recvmsg+0x4e2/0x810 net/socket.c:2285 __sys_recvmsg > net/socket.c:2328 [inline] __do_sys_recvmsg net/socket.c:2338 [inline] > __se_sys_recvmsg net/socket.c:2335 [inline] > __x64_sys_recvmsg+0x325/0x460 net/socket.c:2335 > do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > RIP: 0033:0x4455e9 > RSP: 002b:00007fe3bd36ddb8 EFLAGS: 00000246 ORIG_RAX: > 000000000000002f > RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 00000000004455e9 > RDX: 0000000000002002 RSI: 0000000020000400 RDI: 0000000000000003 > RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007fff98ce4b6f R14: 00007fe3bd36e9c0 R15: 0000000000000003 > > Local variable description: ----addr@___sys_recvmsg Variable was created > at: > ___sys_recvmsg+0xd5/0x810 net/socket.c:2246 __sys_recvmsg > net/socket.c:2328 [inline] __do_sys_recvmsg net/socket.c:2338 [inline] > __se_sys_recvmsg net/socket.c:2335 [inline] > __x64_sys_recvmsg+0x325/0x460 net/socket.c:2335 > > Byte 19 of 32 is uninitialized > > Fixes: 31c82a2d9d51 ("tipc: add second source address to > recvmsg()/recvfrom()") > Signed-off-by: Eric Dumazet <eduma...@google.com> > Reported-by: syzbot <syzkal...@googlegroups.com> > Cc: Jon Maloy <jon.ma...@ericsson.com> > Cc: Ying Xue <ying....@windriver.com> > --- > net/tipc/socket.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/tipc/socket.c b/net/tipc/socket.c index > 252a52ae0893261fc6f146ad81111c59f375fdce..6be21575503aa532014e7aa141 > 5b2bf294757308 100644 > --- a/net/tipc/socket.c > +++ b/net/tipc/socket.c > @@ -1516,10 +1516,10 @@ static void tipc_sk_set_orig_addr(struct msghdr > *m, struct sk_buff *skb) > > srcaddr->sock.family = AF_TIPC; > srcaddr->sock.addrtype = TIPC_ADDR_ID; > + srcaddr->sock.scope = 0; > srcaddr->sock.addr.id.ref = msg_origport(hdr); > srcaddr->sock.addr.id.node = msg_orignode(hdr); > srcaddr->sock.addr.name.domain = 0; > - srcaddr->sock.scope = 0; > m->msg_namelen = sizeof(struct sockaddr_tipc); > > if (!msg_in_group(hdr)) > @@ -1528,6 +1528,7 @@ static void tipc_sk_set_orig_addr(struct msghdr > *m, struct sk_buff *skb) > /* Group message users may also want to know sending member's id > */ > srcaddr->member.family = AF_TIPC; > srcaddr->member.addrtype = TIPC_ADDR_NAME; > + srcaddr->member.scope = 0; > srcaddr->member.addr.name.name.type = msg_nametype(hdr); > srcaddr->member.addr.name.name.instance = TIPC_SKB_CB(skb)- > >orig_member; > srcaddr->member.addr.name.domain = 0; > -- > 2.17.0.441.gb46fe60e1d-goog
