From nobody Tue Apr 7 14:41:27 2026 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E86135DA45 for ; Thu, 12 Mar 2026 15:42:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773330150; cv=none; b=DnQO3kbwmnww40WcT+0uIOPtWaqZePW+CQnu/FlrgFctUn6bXbvJakNNMoccr/7kvW2KHQg5AWIKBzIa0sqwUmFwLIwxKglUW2HB81Wa61jsiIEJlxIpKLC4krYcEF6E1KXQMsjHJtQXitSYjSdF8kdBmCrmbB1sA/Xhac4gxV0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773330150; c=relaxed/simple; bh=4PzX/2BcEMYN6bus1PXJ1eWTdsO2FXz36Sheli+4r/8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=RDLhOVAfKPtrsit51KSxbppG6hblCsQo0Jwz2DfaXPrRwQVJJE34SOmXhA+OqUw+AKnvITDa6su1pG3uHOK/pPGyXbfCbx3Y5jrtw0FqrgJuQ1tcdVXrvfyl+v9Pn4drqmOaXqfK+m5kmszatPwGVJtOxn2NAYHytK4PsargrlM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com; spf=pass smtp.mailfrom=googlemail.com; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b=nMiNRzpq; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=googlemail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="nMiNRzpq" Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4852e09e23dso10071665e9.0 for ; Thu, 12 Mar 2026 08:42:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1773330148; x=1773934948; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=XIFxCq7ikd000RdSw5JxwXtTNKqwm1bQP1nyQMPePDA=; b=nMiNRzpq2p+rrHQqIp0JMOM+lsSzwPzmD9bh1X/ZP/A6xCy3DyTtlJlm6AXp2nF35h KsHbg8J6ronKlwpjSEtKTgch46wv7yVVsxokS7XP5Q8gLPR0IV6YC39Uf4wgzlZrzMtb wLfo1yy6g3I3uhPCIuvEJWIB/ErvSinvDjpptSFGT9jSgB/9XM5O5D6OJ6SZtHmRDKxI Y9ceRHJsZtPSNI29XfP49Ous2ZXtrjiRwvSEswcAdGYybL8Z8GKxN5il/aegNYKi1/c+ ds9N9XWEpv9XNA0j3dvl6Dikgl8tE2e8iu//t4DjVfesdJuRKqR484dGLxDbL0yw9rBi n2QA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773330148; x=1773934948; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=XIFxCq7ikd000RdSw5JxwXtTNKqwm1bQP1nyQMPePDA=; b=Vi/D51HrQMo+mxgiubgxQbOO77kWr3sAWx/sOlGNN1knX9rfzqpag9JNeLSRgO0BZb /fVwdPKHmc/AklpOK+Mhop6S02S1amMgP5VrhcmJBUPHgZa7titMBGY6gsSupeeVw7KO /pwwF9JWg3i1NUsEB1wZxo9cte+3sYRV3u+1eozBox0Kj0xpL3ZiNxelUIvnX4PgdijR BWybgDV1DwTx1I+Qa27FqYYjfsbaAEBrTs5oT1ZLhAGyRNp+6SE2GLNdr/45zM/WMUlA n7xqHMVurHgIQyrQVGK3ypA81vnd/2VVv+iPN10WimQb8xuK3rPH81cVgK/VEdlqJ7jk ZXKg== X-Gm-Message-State: AOJu0Yx7YH7s/dIgJ2xrfiysnfrjDMJq3XQlO8aD+IvGfycs855mpjgA s2aIDNDwZhtyeD822+3ojynvU9POqP2zjlDTUu72DVjhgp5Sr2bcdPDX X-Gm-Gg: ATEYQzyaOF3fXhB/ThFnH13Cmahxm4PX7C5LhjoXeM/YmELifVp+at5QiyTY4JGGc5g Dx+LvXzHPP4kHbFK2FE1oW6ZvczoZYX8rtgD3C+2darYslSm2AB+DqiIxziONUtHJvyrSAMERnm X38Frrh/HbhV9qNK5K7rs0Rljezyqgfv81ewpE2hdfq76trrjwjxLfmwuayquEzuBFi2KC4VmaF CzUapC73kfKO+9Vp5VwQW8D7X8moEdhM+Gy0KRBjjIsNmDuc12k6AjvV6PxjadStAGcqmH68Eez ypMI+92GO1wYZpRZuBR52B+PNNPDBQkQmN04AslldIq3OvDw0+rQvhLbdvIN37l9OL3IhhLwnx7 n8Qx4Tk9mTOHGT0nKdpeZCty3+t80FSEYksSzgcVOz7iaE4syhpbNST5VWmLffZcJtfBkvxJYoN PaBm/ueu09GMH6A3wcGJS+4CZXeo69yr6bZ+3Jb1HbCWJZUg== X-Received: by 2002:a05:600c:4710:b0:485:34b3:858a with SMTP id 5b1f17b1804b1-4854b0bb3bbmr113297805e9.11.1773330147379; Thu, 12 Mar 2026 08:42:27 -0700 (PDT) Received: from ccde1gl2920.devint.net.sap ([130.214.226.57]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48541acea11sm269359615e9.7.2026.03.12.08.42.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Mar 2026 08:42:26 -0700 (PDT) From: Marc Buerg Date: Thu, 12 Mar 2026 16:42:19 +0100 Subject: [PATCH] sysctl: fix uninitialized variable in proc_do_large_bitmap Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260312-fix-uninitialized-variable-in-proc_do_large_bitmap-v1-1-35ad2dddaf21@googlemail.com> X-B4-Tracking: v=1; b=H4sIAAAAAAAC/x2NQQqDMBAAvyJ77kISWw/9SilhTVa7kCayUSkV/ 97Q48Awc0BlFa5w7w5Q3qVKyQ3spYPwojwzSmwMzrjB9NbhJB/csmRZhZJ8OeJOKjSmZmZctAQ fi0+kM/tR1jct2Jsw8HSlYMMNWnhRbpX/9PE8zx+xyS/5hAAAAA== X-Change-ID: 20260312-fix-uninitialized-variable-in-proc_do_large_bitmap-30c6ef4ac1c5 To: Kees Cook , Joel Granados Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, stable@vger.kernel.org, Elias Oezcan , Marc Buerg X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1773330146; l=3076; i=buermarc@googlemail.com; s=20260312; h=from:subject:message-id; bh=4PzX/2BcEMYN6bus1PXJ1eWTdsO2FXz36Sheli+4r/8=; b=jREgJ67/0Ad7cnev4wVPe9MLshX0zf4fyPwS70dVonHWj6g5mIcCY8ZALOllSiTbgn0rr78kb pg+WIR0Gz3ADvkLbbdYNsGbJBy/7Ooaxa/zP/RBy1RjSlqvb0yznUrQ X-Developer-Key: i=buermarc@googlemail.com; a=ed25519; pk=kBZIEGh9yNUzqCz87kygF7XqwPxTWvwm4+HUrOuckyM= proc_do_large_bitmap() does not initialize variable c, which is expected to be set to a trailing character by proc_get_long(). However, proc_get_long() only sets c when the input buffer contains a trailing character after the parsed value. If c is not initialized it may happen to contain a '-'. If this is the case proc_do_large_bitmap() expects to be able to parse a second part of the input buffer. If there is no second part an unjustified -EINVAL will be returned. Initialize c to 0 to prevent returning -EINVAL on valid input. --- When writing to /proc/sys/net/ipv4/ip_local_reserved_ports it is possible to receive an -EINVAL for a valid value. This happens due to an uninitialized variable in the proc_do_large_bitmap() function, namely char c. To trigger this behavior the variable has to contain the later explicitly checked '-' char by chance. In proc_do_large_bitmap() it is expected that the variable might be filled by the proc_get_long() function with the trailing character of the given input. But only if a trailing character exists within the passed size of the buffer. The proc_get_long() function can set c if the length of the parsed long is smaller than the given size of the buffer containing the user input. This is not the case if the buffer only contains the port value (e.g. "123") and sets the size exactly to that (3). Meaning if there is no trailing character, c will not be set. If no trailing character is present we still do a c =3D=3D '-' check. If the uninitialized variable contains this char the function continues parsing. It will now set err to -EINVAL in the next proc_get_long() call, as there is nothing more to parse. Initializing c to 0 will solve the problem. The problem will only arise sporadically, as the variable must contain '-' by chance. On the affected system CONFIG_INIT_STACK_NONE=3Dy was enabled. Further, when enabling eBPF tracing to dump contents of the stack the issue disappears, which would fit the current explanation as a root cause for the observed behavior. Fixes: 9f977fb7ae9d ("sysctl: add proc_do_large_bitmap") Signed-off-by: Marc Buerg --- kernel/sysctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 9d3a666ffde1..c9efb17cc255 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -1118,7 +1118,7 @@ int proc_do_large_bitmap(const struct ctl_table *tabl= e, int dir, unsigned long bitmap_len =3D table->maxlen; unsigned long *bitmap =3D *(unsigned long **) table->data; unsigned long *tmp_bitmap =3D NULL; - char tr_a[] =3D { '-', ',', '\n' }, tr_b[] =3D { ',', '\n', 0 }, c; + char tr_a[] =3D { '-', ',', '\n' }, tr_b[] =3D { ',', '\n', 0 }, c =3D 0; =20 if (!bitmap || !bitmap_len || !left || (*ppos && SYSCTL_KERN_TO_USER(dir)= )) { *lenp =3D 0; --- base-commit: 80234b5ab240f52fa45d201e899e207b9265ef91 change-id: 20260312-fix-uninitialized-variable-in-proc_do_large_bitmap-30c6= ef4ac1c5 Best regards, --=20 Marc Buerg