CVE-2024-35893

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_skbmod: prevent kernel-infoleak

syzbot found that tcfskbmoddump() was copying four bytes from kernel stack to user space [1].

The issue here is that 'struct tc_skbmod' has a four bytes hole.

We need to clear the structure before filling fields.

[1] BUG: KMSAN: kernel-infoleak in instrumentcopytouser include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copytouseriter lib/ioviter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterateubuf include/linux/ioviter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterateandadvance2 include/linux/ioviter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterateandadvance include/linux/ioviter.h:271 [inline] BUG: KMSAN: kernel-infoleak in copytoiter+0x366/0x2520 lib/ioviter.c:185 instrumentcopytouser include/linux/instrumented.h:114 [inline] copytouseriter lib/ioviter.c:24 [inline] iterateubuf include/linux/ioviter.h:29 [inline] iterateandadvance2 include/linux/ioviter.h:245 [inline] iterateandadvance include/linux/ioviter.h:271 [inline] copytoiter+0x366/0x2520 lib/ioviter.c:185 copytoiter include/linux/uio.h:196 [inline] simplecopyto_iter net/core/datagram.c:532 [inline] __skbdatagramiter+0x185/0x1000 net/core/datagram.c:420 skbcopydatagramiter+0x5c/0x200 net/core/datagram.c:546 skbcopydatagrammsg include/linux/skbuff.h:4050 [inline] netlinkrecvmsg+0x432/0x1610 net/netlink/afnetlink.c:1962 sockrecvmsgnosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __dosysrecvfrom net/socket.c:2260 [inline] __sesysrecvfrom net/socket.c:2256 [inline] __x64sysrecvfrom+0x126/0x1d0 net/socket.c:2256 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75

Uninit was stored to memory at: pskbexpandhead+0x30f/0x19d0 net/core/skbuff.c:2253 netlinktrim+0x2c2/0x330 net/netlink/afnetlink.c:1317 netlinkunicast+0x9f/0x1260 net/netlink/afnetlink.c:1351 nlmsgunicast include/net/netlink.h:1144 [inline] nlmsgnotify+0x21d/0x2f0 net/netlink/afnetlink.c:2610 rtnetlinksend+0x73/0x90 net/core/rtnetlink.c:741 rtnetlinkmaybesend include/linux/rtnetlink.h:17 [inline] tcfaddnotify net/sched/actapi.c:2048 [inline] tcfactionadd net/sched/actapi.c:2071 [inline] tcctlaction+0x146e/0x19d0 net/sched/actapi.c:2119 rtnetlinkrcvmsg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlinkrcvskb+0x375/0x650 net/netlink/afnetlink.c:2559 rtnetlinkrcv+0x34/0x40 net/core/rtnetlink.c:6613 netlinkunicastkernel net/netlink/afnetlink.c:1335 [inline] netlinkunicast+0xf4c/0x1260 net/netlink/afnetlink.c:1361 netlinksendmsg+0x10df/0x11f0 net/netlink/afnetlink.c:1905 socksendmsgnosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __dosyssendmsg net/socket.c:2676 [inline] __sesyssendmsg net/socket.c:2674 [inline] __x64syssendmsg+0x307/0x4a0 net/socket.c:2674 dosyscall64+0xd5/0x1f0 entrySYSCALL64afterhwframe+0x6d/0x75

Uninit was stored to memory at: _nlaput lib/nlattr.c:1041 [inline] nlaput+0x1c6/0x230 lib/nlattr.c:1099 tcfskbmoddump+0x23f/0xc20 net/sched/actskbmod.c:256 tcfactiondumpold net/sched/actapi.c:1191 [inline] tcfactiondump1+0x85e/0x970 net/sched/actapi.c:1227 tcfactiondump+0x1fd/0x460 net/sched/actapi.c:1251 tcagetfill+0x519/0x7a0 net/sched/actapi.c:1628 tcfaddnotifymsg net/sched/actapi.c:2023 [inline] tcfaddnotify net/sched/actapi.c:2042 [inline] tcfactionadd net/sched/actapi.c:2071 [inline] tcctlaction+0x1365/0x19d0 net/sched/actapi.c:2119 rtnetlinkrcvmsg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlinkrcvskb+0x375/0x650 net/netlink/afnetli ---truncated---