CVE-2022-48855

In the Linux kernel, the following vulnerability has been resolved:

sctp: fix kernel-infoleak for SCTP sockets

syzbot reported a kernel infoleak [1] of 4 bytes.

After analysis, it turned out r->idiagexpires is not initialized if inetsctpdiagfill() calls inetdiagmsgcommonfill()

Make sure to clear idiagtimer/idiagretrans/idiagexpires and let inetdiagmsgsctpasoc_fill() fill them again if needed.

[1]

BUG: KMSAN: kernel-infoleak in instrumentcopytouser include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copyout lib/ioviter.c:154 [inline] BUG: KMSAN: kernel-infoleak in copytoiter+0x6ef/0x25a0 lib/ioviter.c:668 instrumentcopytouser include/linux/instrumented.h:121 [inline] copyout lib/ioviter.c:154 [inline] copytoiter+0x6ef/0x25a0 lib/ioviter.c:668 copytoiter include/linux/uio.h:162 [inline] simplecopyto_iter+0xf3/0x140 net/core/datagram.c:519 __skbdatagramiter+0x2d5/0x11b0 net/core/datagram.c:425 skbcopydatagramiter+0xdc/0x270 net/core/datagram.c:533 skbcopydatagrammsg include/linux/skbuff.h:3696 [inline] netlinkrecvmsg+0x669/0x1c80 net/netlink/afnetlink.c:1977 sockrecvmsgnosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] __sys_recvfrom+0x795/0xa10 net/socket.c:2097 __dosysrecvfrom net/socket.c:2115 [inline] __sesysrecvfrom net/socket.c:2111 [inline] __x64sysrecvfrom+0x19d/0x210 net/socket.c:2111 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x54/0xd0 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x44/0xae

Uninit was created at: slabpostallochook mm/slab.h:737 [inline] slaballoc_node mm/slub.c:3247 [inline] __kmallocnodetrackcaller+0xe0c/0x1510 mm/slub.c:4975 kmallocreserve net/core/skbuff.c:354 [inline] __allocskb+0x545/0xf90 net/core/skbuff.c:426 allocskb include/linux/skbuff.h:1158 [inline] netlinkdump+0x3e5/0x16c0 net/netlink/afnetlink.c:2248 __netlinkdumpstart+0xcf8/0xe90 net/netlink/afnetlink.c:2373 netlinkdumpstart include/linux/netlink.h:254 [inline] inetdiaghandlercmd+0x2e7/0x400 net/ipv4/inetdiag.c:1341 sockdiagrcvmsg+0x24a/0x620 netlinkrcvskb+0x40c/0x7e0 net/netlink/afnetlink.c:2494 sockdiagrcv+0x63/0x80 net/core/sockdiag.c:277 netlinkunicastkernel net/netlink/afnetlink.c:1317 [inline] netlinkunicast+0x1093/0x1360 net/netlink/afnetlink.c:1343 netlinksendmsg+0x14d9/0x1720 net/netlink/afnetlink.c:1919 socksendmsgnosec net/socket.c:705 [inline] socksendmsg net/socket.c:725 [inline] sockwriteiter+0x594/0x690 net/socket.c:1061 doiterreadvwritev+0xa7f/0xc70 doiterwrite+0x52c/0x1500 fs/readwrite.c:851 vfswritev fs/readwrite.c:924 [inline] dowritev+0x645/0xe00 fs/readwrite.c:967 __dosyswritev fs/read_write.c:1040 [inline] __sesyswritev fs/read_write.c:1037 [inline] _x64syswritev+0xe5/0x120 fs/readwrite.c:1037 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x54/0xd0 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x44/0xae

Bytes 68-71 of 2508 are uninitialized Memory access of size 2508 starts at ffff888114f9b000 Data copied to user address 00007f7fe09ff2e0

CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011