[PATCH] netlink: netlink_sendmsg: memset unused tail bytes in skb
From: Phillip Potter
Date: Sun May 09 2021 - 08:22:10 EST
When allocating the skb within netlink_sendmsg, with certain supplied
len arguments, extra bytes are allocated at the end of the data buffer,
due to SKB_DATA_ALIGN giving a larger size within __alloc_skb for
alignment reasons. This means that after using skb_put with the same
len value and then copying data into the skb, the skb tail area is
non-zero in size and contains uninitialised bytes. Wiping this area
(if it exists) fixes a KMSAN-found uninit-value bug reported by syzbot at:
https://syzkaller.appspot.com/bug?id=3e63bcec536b7136b54c72e06adeb87dc6519f69
Reported-by: syzbot+a73d24a22eeeebe5f244@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Phillip Potter <phil@xxxxxxxxxxxxxxxx>
---
net/netlink/af_netlink.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 3a62f97acf39..e54321b63f98 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1914,6 +1914,9 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
goto out;
}
+ if (skb->end - skb->tail)
+ memset(skb_tail_pointer(skb), 0, skb->end - skb->tail);
+
err = security_netlink_send(sk, skb);
if (err) {
kfree_skb(skb);
--
2.30.2