Re: [PATCH net] netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter

[Eric Dumazet]

On Wed, Feb 21, 2024 at 8:42 AM Ryosuke Yasuoka <ryasuoka@xxxxxxxxxx> wrote:
>
> syzbot reported the following uninit-value access issue [1]:
>
> netlink_to_full_skb() creates a new `skb` and puts the `skb->data`
> passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data
> size is specified as `len` and passed to skb_put_data(). This `len`
> is based on `skb->end` that is not data offset but buffer offset. The
> `skb->end` contains data and tailroom. Since the tailroom is not
> initialized when the new `skb` created, KMSAN detects uninitialized
> memory area when copying the data.
>
> This patch resolved this issue by correct the len from `skb->end` to
> `skb->len`, which is the actual data offset.
>
>
> Bytes 3852-3903 of 3904 are uninitialized
> Memory access of size 3904 starts at ffff88812ea1e000
> Data copied to user address 0000000020003280
>
> CPU: 1 PID: 5043 Comm: syz-executor297 Not tainted 6.7.0-rc5-syzkaller-00047-g5bd7ef53ffe5 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
>
> Fixes: 1853c9496460 ("netlink, mmap: transform mmap skb into full skb on taps")
> Reported-and-tested-by: syzbot+34ad5fab48f7bf510349@syzkaller.appspotmailcom
> Closes: https://syzkaller.appspot.com/bug?extid=34ad5fab48f7bf510349 [1]
> Signed-off-by: Ryosuke Yasuoka <ryasuoka@xxxxxxxxxx>

These vmalloc() skbs have caused so many issues, thanks for this fix.

Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>