From nobody Fri Apr 3 22:49:36 2026 Received: from mail-dl1-f42.google.com (mail-dl1-f42.google.com [74.125.82.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 693A11459FA for ; Sun, 22 Mar 2026 18:47:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774205243; cv=none; b=gL3QILp9K+tVTCjFbdHczO38uzgM5pGWTw9hjs+hpa3hO+m+dc+CvjOW1oZaEAC28MHkPlpSER0BsdA+NooKuaMx0MPs3DtdsWitVxJq9PdBf5MyqlvCHvuqQQMcR/o6yHA0R5p+rlrMY5y4Qr4B0NUABA+PF1JzkC45l9tRM1c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774205243; c=relaxed/simple; bh=ri7MVTfLbHHydHRVBmJ+3w97PxdipnKoXYcx6X66erk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=D15QXPzcyz+eoZJkMpJyE6HyzgUlJw0ofeCR0yxsI59II/SifEKjBmUoDvEVm4xr35wUBX4xUIzESvwUHQS/zHtk8cceWB1+ZaDD9TO9h5u+2xmdqsnBSuHOl5LyKtb1CsHoaRGWUfA93UDyAcgyNm9GXOos6zCnvB3n3ZwwA9E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VSqfh1qd; arc=none smtp.client-ip=74.125.82.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VSqfh1qd" Received: by mail-dl1-f42.google.com with SMTP id a92af1059eb24-1273349c56bso2869850c88.0 for ; Sun, 22 Mar 2026 11:47:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774205240; x=1774810040; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=OlvFcN/Un0P/mJ7FSpupSUHVKo//s73OGNqn4ln4iqM=; b=VSqfh1qdZVbV2M3Ma4Dh9LFVN1xfF5oHBvLWwuU8IQDwDOPuftJfag/km01VpCFwFn AnhP7cqH0N4B53G1s/AN6gQtobPQnfjvWnWLYH7aXaWgsS5o0CIhc8GVIElng+cJcNac cLENeLOBHCruOmIsfmNHJqy4wC0U3QoGVQXZ0iw1H5JhHV5VQdXOz0gy2I3NcM2V5Oa+ sPaGHkovC3Gbr7Dns0PMcs01CfwLpYNeerEGmc/0APZhDP25AkXiPShe2ck0Fj8bwRc6 b7dfy46D0c5IVTtoe1UZB6GZi3Pkkhf+eKWyy5vZ0XS2JEDtaGZvcPnmlOm8QkSOq8qF IXaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774205240; x=1774810040; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=OlvFcN/Un0P/mJ7FSpupSUHVKo//s73OGNqn4ln4iqM=; b=XJVkbLa/tFJex21kdfmXIBnqoycL3LVPlsU+pkaFeCubf8xPzpJsnTT2EH5Kmt9l+s ke4Pr3b0ScMqRxgvuht8o7vKbi39Lxi3YQLP+0kbIhUYQTiwIU5UN+KAKWTTfS9CmTSl sM9nRrJ6TEVHOJoBM9WMPNJ4kqPBAVlBdcIkEDGkp7s8AfQr1dDopCancspUflkzfxTr WIiAt4E1swBxgb6UXguupbQwZAGM+XNcKM8cAGKHgS1lytEN3SYXVsKmjomI9XYq56m1 v0OGSHON31gP87Pa/vJ8dVhGwNW1/CQNRej/DZsQ4xnj/rXg3O67D+rBGLgnoSTSmFDF LFVA== X-Forwarded-Encrypted: i=1; AJvYcCXKS/z+g0KFa59NKq3chuxnxo+UQb/ywQTbw5Eu6Op1JYpV1BXT9pOs7ybk67r1y/ifz4klUzUj1E2FIFo=@vger.kernel.org X-Gm-Message-State: AOJu0YzeFXKQoNcfxS21mGgBHfmAsmLU0dwCMz8UfTwZd9SV+O2QM6Vu ylT33M3thzYnafuVAGPMUoQLILcHf7OwFIZsLadUUfbcBX6gaxgM6ldf X-Gm-Gg: ATEYQzx7suABpDC4BJ7uhJzPS7KvSbqDBp+opkZ7ZmVTIx3lRKHgqoQiM3I5VYiPbGC IKH0HTj6MUVZS6QYRr1QBAHWvKZ5/0TG8l+MdZejbDpn71PNhcT7mTyKt+mpkU+sggfQTdkPLoB 7ELCuk5MMQVK5LP6oHUlLvAxEVoCn/B0BFbSEbvo21PHHXTW4TLp3/+2AvElAc4nJXhKbtCvCgx VG66J+4hjQFxvGIL/ThOvUInvVlHn2e434ABB4/MY1T+1A3oxlx8vmZ8RuVElpZTphMI3cIhQLp NdPwkSjy/i2pjK6TkiGw5/39rPxy8dTsVW9/ns7VX+wqp5gt3IXuLgWvMcaUQoyhkui8Oa81LRY j676nezQodJ4srM717KrIQWOqirbYKxNeyhaHsBrR54jKJXiyg10EBbu9iWljHA/UBXE6GBQyKN 9b40nQjwgZC/Ghbg4wyFpVihvjbR5NYi2VCgRZ0y956OF2hqbMLfWuQHQ= X-Received: by 2002:a05:7022:31f:b0:127:5cfe:1ee0 with SMTP id a92af1059eb24-12a726b2844mr4288501c88.21.1774205240287; Sun, 22 Mar 2026 11:47:20 -0700 (PDT) Received: from 59989e37b1d1.cs.ucr.edu (colossus.cs.ucr.edu. [169.235.26.233]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-12a734bb33fsm7579845c88.9.2026.03.22.11.47.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Mar 2026 11:47:20 -0700 (PDT) From: Zhengchuan Liang To: netdev@vger.kernel.org, steffen.klassert@secunet.com, herbert@gondor.apana.org.au Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, linux-kernel@vger.kernel.org, shinta.sugimoto@ericsson.com, nakam@linux-ipv6.org, yoshfuji@linux-ipv6.org, yifanwucs@gmail.com, tomapufckgml@gmail.com, yuantan098@gmail.com, bird@lzu.edu.cn, lx24@stu.ynu.edu.cn Subject: [PATCH net] net: af_key: zero aligned sockaddr tail in PF_KEY exports Date: Sun, 22 Mar 2026 11:46:08 -0700 Message-ID: <20260322184608.1048146-1-zcliangcn@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, `pfkey_sockaddr_fill()` initializes only the first 28 bytes of `struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buffer before filling the sockaddr payloads. Keep the fix to the export paths that still append aligned sockaddr payloads with plain `skb_put()`: - `SADB_ACQUIRE` - `SADB_X_NAT_T_NEW_MAPPING` - `SADB_X_MIGRATE` Fix those paths by clearing only the aligned sockaddr tail after `pfkey_sockaddr_fill()`. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Fixes: 08de61beab8a ("[PFKEYV2]: Extension for dynamic update of endpoint a= ddress(es)") Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Xiao Liu Signed-off-by: Zhengchuan Liang --- net/key/af_key.c | 52 +++++++++++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/net/key/af_key.c b/net/key/af_key.c index 0756bac62f7c0..f3f8f3c15a940 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -757,6 +757,22 @@ static unsigned int pfkey_sockaddr_fill(const xfrm_add= ress_t *xaddr, __be16 port return 0; } =20 +static unsigned int pfkey_sockaddr_fill_zero_tail(const xfrm_address_t *xa= ddr, + __be16 port, + struct sockaddr *sa, + unsigned short family) +{ + unsigned int prefixlen; + int sockaddr_len =3D pfkey_sockaddr_len(family); + int sockaddr_size =3D pfkey_sockaddr_size(family); + + prefixlen =3D pfkey_sockaddr_fill(xaddr, port, sa, family); + if (sockaddr_size > sockaddr_len) + memset((u8 *)sa + sockaddr_len, 0, sockaddr_size - sockaddr_len); + + return prefixlen; +} + static struct sk_buff *__pfkey_xfrm_state2msg(const struct xfrm_state *x, int add_keys, int hsc) { @@ -3206,9 +3222,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, s= truct xfrm_tmpl *t, struct addr->sadb_address_proto =3D 0; addr->sadb_address_reserved =3D 0; addr->sadb_address_prefixlen =3D - pfkey_sockaddr_fill(&x->props.saddr, 0, - (struct sockaddr *) (addr + 1), - x->props.family); + pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0, + (struct sockaddr *)(addr + 1), + x->props.family); if (!addr->sadb_address_prefixlen) BUG(); =20 @@ -3221,9 +3237,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, s= truct xfrm_tmpl *t, struct addr->sadb_address_proto =3D 0; addr->sadb_address_reserved =3D 0; addr->sadb_address_prefixlen =3D - pfkey_sockaddr_fill(&x->id.daddr, 0, - (struct sockaddr *) (addr + 1), - x->props.family); + pfkey_sockaddr_fill_zero_tail(&x->id.daddr, 0, + (struct sockaddr *)(addr + 1), + x->props.family); if (!addr->sadb_address_prefixlen) BUG(); =20 @@ -3421,9 +3437,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *= x, xfrm_address_t *ipaddr, addr->sadb_address_proto =3D 0; addr->sadb_address_reserved =3D 0; addr->sadb_address_prefixlen =3D - pfkey_sockaddr_fill(&x->props.saddr, 0, - (struct sockaddr *) (addr + 1), - x->props.family); + pfkey_sockaddr_fill_zero_tail(&x->props.saddr, 0, + (struct sockaddr *)(addr + 1), + x->props.family); if (!addr->sadb_address_prefixlen) BUG(); =20 @@ -3443,9 +3459,9 @@ static int pfkey_send_new_mapping(struct xfrm_state *= x, xfrm_address_t *ipaddr, addr->sadb_address_proto =3D 0; addr->sadb_address_reserved =3D 0; addr->sadb_address_prefixlen =3D - pfkey_sockaddr_fill(ipaddr, 0, - (struct sockaddr *) (addr + 1), - x->props.family); + pfkey_sockaddr_fill_zero_tail(ipaddr, 0, + (struct sockaddr *)(addr + 1), + x->props.family); if (!addr->sadb_address_prefixlen) BUG(); =20 @@ -3474,15 +3490,15 @@ static int set_sadb_address(struct sk_buff *skb, in= t sasize, int type, switch (type) { case SADB_EXT_ADDRESS_SRC: addr->sadb_address_prefixlen =3D sel->prefixlen_s; - pfkey_sockaddr_fill(&sel->saddr, 0, - (struct sockaddr *)(addr + 1), - sel->family); + pfkey_sockaddr_fill_zero_tail(&sel->saddr, 0, + (struct sockaddr *)(addr + 1), + sel->family); break; case SADB_EXT_ADDRESS_DST: addr->sadb_address_prefixlen =3D sel->prefixlen_d; - pfkey_sockaddr_fill(&sel->daddr, 0, - (struct sockaddr *)(addr + 1), - sel->family); + pfkey_sockaddr_fill_zero_tail(&sel->daddr, 0, + (struct sockaddr *)(addr + 1), + sel->family); break; default: return -EINVAL; --=20 2.43.0