[PATCH] net: ipv4: ipmr: Prevent information leak in ipmr_sk_ioctl()

Next message: Waiman Long: "Re: [cgroup/for-6.20 PATCH 1/4] cgroup/cpuset: Streamline rm_siblings_excl_cpus()"
Previous message: Icenowy Zheng: "Re: Re: [PATCH v4 5/9] drm/bridge: add a driver for T-Head TH1520 HDMI controller"
Next in thread: Willem de Bruijn: "Re: [PATCH] net: ipv4: ipmr: Prevent information leak in ipmr_sk_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alper Ak

Date: Sat Dec 27 2025 - 02:38:48 EST

struct sioc_vif_req has a padding hole after the vifi field due to
alignment requirements. These padding bytes were uninitialized,
potentially leaking kernel stack memory to userspace when the
struct is copied via sock_ioctl_inout().

Reported by Smatch:
net/ipv4/ipmr.c:1575 ipmr_sk_ioctl() warn: check that 'buffer'
doesn't leak information (struct has a hole after 'vifi')

Fixes: e1d001fa5b47 ("net: ioctl: Use kernel memory on protocol ioctl callbacks")
Signed-off-by: Alper Ak <alperyasinak1@xxxxxxxxx>
---
net/ipv4/ipmr.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index ca9eaee4c2ef..18441fbe7ed7 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1571,6 +1571,7 @@ int ipmr_sk_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
/* These userspace buffers will be consumed by ipmr_ioctl() */
case SIOCGETVIFCNT: {
struct sioc_vif_req buffer;
+ memset(&buffer, 0, sizeof(buffer));

return sock_ioctl_inout(sk, cmd, arg, &buffer,
sizeof(buffer));
--
2.43.0