Re: [PATCH net] net/sctp: Always set scope_id in sctp_inet6_skb_msgname

From: David Miller
Date: Thu Nov 16 2017 - 09:01:32 EST


From: ebiederm@xxxxxxxxxxxx (Eric W. Biederman)
Date: Wed, 15 Nov 2017 22:17:48 -0600

>
> Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
> discovered that in some configurations sctp would leak 4 bytes of
> kernel stack.
>
> Working with his reproducer I discovered that those 4 bytes that
> are leaked is the scope id of an ipv6 address returned by recvmsg.
>
> With a little code inspection and a shrewd guess I discovered that
> sctp_inet6_skb_msgname only initializes the scope_id field for link
> local ipv6 addresses to the interface index the link local address
> pertains to instead of initializing the scope_id field for all ipv6
> addresses.
>
> That is almost reasonable as scope_id's are meaniningful only for link
> local addresses. Set the scope_id in all other cases to 0 which is
> not a valid interface index to make it clear there is nothing useful
> in the scope_id field.
>
> There should be no danger of breaking userspace as the stack leak
> guaranteed that previously meaningless random data was being returned.
>
> Fixes: 372f525b495c ("SCTP: Resync with LKSCTP tree.")
> History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
> Reported-by: Alexander Potapenko <glider@xxxxxxxxxx>
> Tested-by: Alexander Potapenko <glider@xxxxxxxxxx>
> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>

Applied and queued up for -stable, thanks Eric.