• Eric Dumazet's avatar
    can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can() · 38ba8b92
    Eric Dumazet authored
    syzbot found that at least 2 bytes of kernel information
    were leaked during getsockname() on AF_CAN CAN_J1939 socket.
    
    Since struct sockaddr_can has in fact two holes, simply
    clear the whole area before filling it with useful data.
    
    BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
    CPU: 0 PID: 8466 Comm: syz-executor511 Not tainted 5.8.0-rc5-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x21c/0x280 lib/dump_stack.c:118
     kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
     kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
     kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
     instrument_copy_to_user include/linux/instrumented.h:91 [inline]
     _copy_to_user+0x18e/0x260 lib/usercopy.c:39
     copy_to_user include/linux/uaccess.h:186 [inline]
     move_addr_to_user+0x3de/0x670 net/socket.c:237
     __sys_getsockname+0x407/0x5e0 net/socket.c:1909
     __do_sys_getsockname net/socket.c:1920 [inline]
     __se_sys_getsockname+0x91/0xb0 net/socket.c:1917
     __x64_sys_getsockname+0x4a/0x70 net/socket.c:1917
     do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x440219
    Code: Bad RIP value.
    RSP: 002b:00007ffe5ee150c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000033
    RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
    RDX: 0000000020000240 RSI: 0000000020000100 RDI: 0000000000000003
    RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
    R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a20
    R13: 0000000000401ab0 R14: 0000000000000000 R15: 0000000000000000
    
    Local variable ----address@__sys_getsockname created at:
     __sys_getsockname+0x91/0x5e0 net/socket.c:1894
     __sys_getsockname+0x91/0x5e0 net/socket.c:1894
    
    Bytes 2-3 of 24 are uninitialized
    Memory access of size 24 starts at ffff8880ba2c7de8
    Data copied to user address 0000000020000100
    
    Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Cc: Robin van der Gracht <robin@protonic.nl>
    Cc: Oleksij Rempel <o.rempel@pengutronix.de>
    Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
    Cc: linux-can@vger.kernel.org
    Acked-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
    Link: https://lore.kernel.org/r/20200813161834.4021638-1-edumazet@google.comSigned-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
    38ba8b92
socket.c 28.2 KB