1. Patchew
  2. linux
  3. [PATCH v3 0/2] net: sched: initialize struct tc_ife to fix kernel-infoleak
  4. View patch

[PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak

Ranganath V N posted 2 patches 1 month, 1 week ago
There is a newer version of this series
[PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
Posted by Ranganath V N 1 month, 1 week ago 
In tcf_connmark_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.

Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.

Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>
---
 net/sched/act_connmark.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
index 3e89927d7116..2aaaaee9b6bb 100644
--- a/net/sched/act_connmark.c
+++ b/net/sched/act_connmark.c
@@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
 	const struct tcf_connmark_info *ci = to_connmark(a);
 	unsigned char *b = skb_tail_pointer(skb);
 	const struct tcf_connmark_parms *parms;
-	struct tc_connmark opt = {
-		.index   = ci->tcf_index,
-		.refcnt  = refcount_read(&ci->tcf_refcnt) - ref,
-		.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind,
-	};
+	struct tc_connmark opt;
 	struct tcf_t t;
 
+	memset(&opt, 0, sizeof(opt));
+
+	index   = ci->tcf_index;
+	refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
+	bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;
+
 	rcu_read_lock();
 	parms = rcu_dereference(ci->parms);
 
-- 
2.43.0
Re: [PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
Posted by kernel test robot 1 month, 1 week ago 
Hi Ranganath,

kernel test robot noticed the following build errors:

[auto build test ERROR on net-next/main]
[also build test ERROR on net/main linus/master v6.18-rc4 next-20251107]
[cannot apply to horms-ipvs/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ranganath-V-N/net-sched-act_connmark-initialize-struct-tc_ife-to-fix-kernel-leak/20251107-035911
base:   net-next/main
patch link:    https://lore.kernel.org/r/20251106195635.2438-2-vnranganath.20%40gmail.com
patch subject: [PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
config: x86_64-rhel-9.4-kselftests (https://download.01.org/0day-ci/archive/20251108/202511080914.Sb6puKZN-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251108/202511080914.Sb6puKZN-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202511080914.Sb6puKZN-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/sched/act_connmark.c: In function 'tcf_connmark_dump':
>> net/sched/act_connmark.c:203:9: error: 'index' undeclared (first use in this function)
     203 |         index   = ci->tcf_index;
         |         ^~~~~
   net/sched/act_connmark.c:203:9: note: each undeclared identifier is reported only once for each function it appears in
>> net/sched/act_connmark.c:204:9: error: 'refcnt' undeclared (first use in this function)
     204 |         refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
         |         ^~~~~~
>> net/sched/act_connmark.c:205:9: error: 'bindcnt' undeclared (first use in this function); did you mean 'bind'?
     205 |         bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;
         |         ^~~~~~~
         |         bind


vim +/index +203 net/sched/act_connmark.c

   191	
   192	static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
   193					    int bind, int ref)
   194	{
   195		const struct tcf_connmark_info *ci = to_connmark(a);
   196		unsigned char *b = skb_tail_pointer(skb);
   197		const struct tcf_connmark_parms *parms;
   198		struct tc_connmark opt;
   199		struct tcf_t t;
   200	
   201		memset(&opt, 0, sizeof(opt));
   202	
 > 203		index   = ci->tcf_index;
 > 204		refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
 > 205		bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;
   206	
   207		rcu_read_lock();
   208		parms = rcu_dereference(ci->parms);
   209	
   210		opt.action = parms->action;
   211		opt.zone = parms->zone;
   212		if (nla_put(skb, TCA_CONNMARK_PARMS, sizeof(opt), &opt))
   213			goto nla_put_failure;
   214	
   215		tcf_tm_dump(&t, &ci->tcf_tm);
   216		if (nla_put_64bit(skb, TCA_CONNMARK_TM, sizeof(t), &t,
   217				  TCA_CONNMARK_PAD))
   218			goto nla_put_failure;
   219		rcu_read_unlock();
   220	
   221		return skb->len;
   222	
   223	nla_put_failure:
   224		rcu_read_unlock();
   225		nlmsg_trim(skb, b);
   226		return -1;
   227	}
   228	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Re: [PATCH v3 1/2] net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
Posted by Simon Horman 1 month, 1 week ago 
On Fri, Nov 07, 2025 at 01:26:33AM +0530, Ranganath V N wrote:
> In tcf_connmark_dump(), the variable 'opt' was partially initialized using a
> designatied initializer. While the padding bytes are reamined
> uninitialized. nla_put() copies the entire structure into a
> netlink message, these uninitialized bytes leaked to userspace.
> 
> Initialize the structure with memset before assigning its fields
> to ensure all members and padding are cleared prior to beign copied.
> 
> Signed-off-by: Ranganath V N <vnranganath.20@gmail.com>

Hi Ranganath,

Sorry for not noticing in my review of v2, but as this series fixes bugs in
code present in net it should be targeted at net.  This is done by
including net in the subject of each email, like this:

Subject: [PATCh net v3 1/2] ...

And this patch should have a fixes tag (patch 2/2 already has one).

Fixes: 22a5dc0e5e3e ("net: sched: Introduce connmark action")

Also, when posting v4, please be sure to wait until 24h have
elapsed since the posting of v3.

For more information about the above please see
https://docs.kernel.org/process/maintainer-netdev.html

> ---
>  net/sched/act_connmark.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
> index 3e89927d7116..2aaaaee9b6bb 100644
> --- a/net/sched/act_connmark.c
> +++ b/net/sched/act_connmark.c
> @@ -195,13 +195,15 @@ static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
>  	const struct tcf_connmark_info *ci = to_connmark(a);
>  	unsigned char *b = skb_tail_pointer(skb);
>  	const struct tcf_connmark_parms *parms;
> -	struct tc_connmark opt = {
> -		.index   = ci->tcf_index,
> -		.refcnt  = refcount_read(&ci->tcf_refcnt) - ref,
> -		.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind,
> -	};
> +	struct tc_connmark opt;
>  	struct tcf_t t;
>  
> +	memset(&opt, 0, sizeof(opt));
> +
> +	index   = ci->tcf_index;
> +	refcnt  = refcount_read(&ci->tcf_refcnt) - ref;
> +	bindcnt = atomic_read(&ci->tcf_bindcnt) - bind;

I think some editing errors have crept in here,
because the above does not compile: index should be opt.index, ...

> +
>  	rcu_read_lock();
>  	parms = rcu_dereference(ci->parms);

-- 
pw-bot: changes-requested

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.