From nobody Mon May 25 00:08:04 2026 Received: from mail-dl1-f43.google.com (mail-dl1-f43.google.com [74.125.82.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0B8539DBFD for ; Wed, 20 May 2026 08:00:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779264007; cv=none; b=sEY5leqpmUCfUakfEgslN5FyiaG7YmhPQ8pNU5M8gdbdRnsBnFQFyBTRv7NTItiCm9lbIf1iFdRHEZHcRSoOOqmqO25fDXZhDWEJU5kXsoKFfyGrsf7E4p2zSugKJQjaxF+rTxrkpPSBovgaiwgfpqgFqBOyMUu+G4Fy4jqPazo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779264007; c=relaxed/simple; bh=bylUaJtdDzwGNVF4Uktdq+iIyOjiXM6Hq+EFEhzDvAQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=VgLaM6crCe5kK7dU9GM5URNx5YBVbluFYzS6vZyF0bZ+jRNS7g3kBkXxIeWZHLGkjSgqnSTFyH2R3IbsPX62arx69VrDQxoLk2gV8p4ic7V40vokm/E0aaPcJQw3XK6ymySOzOb609dnWTG669dNtD8jLV7e8ehtS4S7plz47v4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KTmmpZ0T; arc=none smtp.client-ip=74.125.82.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KTmmpZ0T" Received: by mail-dl1-f43.google.com with SMTP id a92af1059eb24-1332772f6b3so5691519c88.1 for ; Wed, 20 May 2026 01:00:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779264006; x=1779868806; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=dSnyB4XZYPvq8d1lcWiPY8NYEotO8Fxh7ugf2SByLY4=; b=KTmmpZ0TpDXRO550qmmOQxwrfZ3iKXqEKbKHx7lVeh9+puhNZrJB5JBJ9NYX90PoZ+ s9yfLXp1jvFGgZPQfc/yrk9QjWEs4UG9YO3hWSSbB+onGyT7MdFhZLkuXrkdSHJiWmME 59in/N9+fJ3Q1RbYYgvByw1k5w+AVa9nxW6h81hpRKynbUtNZ0ZGaOehD2eaBQB8N78r xZYhlKa7keTiE38ySI1b1lB3Secjq+bS9za33h2Wg5dUU9FNAHJ70K3P92c/aWYftLgy ipV3Zdy8aKqJuQ92mnCkd0cWaJ//vkQxqxGGNIzC3B5/42w7qXP7K8rJu+JU/1NAUdGC SAwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779264006; x=1779868806; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=dSnyB4XZYPvq8d1lcWiPY8NYEotO8Fxh7ugf2SByLY4=; b=qXV9I8I6aE6+IH+mHmqVCU0qC5dRX3OOfig1D3mn5bCnNLnHoqNqmlw3JQUeAEYMjK rfmxH3+IYMpegtdnDrq9AaV1b7goVv3aUfVsMyPQBSZ7E/zk8GNqQre8sZRwF/nxTyj3 Q+g9PZ4G5KujyDggAHT5vYvE1GHv07ZTYxa5l7s6P9/6dEGu8W4IU6b7lcKugMsl8XMl Opq+aHb8rh+2Dscsl1kac0sVOFIpcvN5p9gRldVID4GWK95mo4J7pEm+QAr2T0MYK6rT zcoKjl0t6VvTMoZX/k9KrMOwUmQKKc9mywk0YFamh7toBAw/e6V4AG8xVLYc+G3bR7pS aLQw== X-Forwarded-Encrypted: i=1; AFNElJ/k8H4PSKKPGdR0G7BJfScKUg7Bjcjd7yDfv4uLxc15KyxBnDa3qrMKf8sauh7QmJDrEaz7DednEaZswBc=@vger.kernel.org X-Gm-Message-State: AOJu0YwYJzg2InIfXw6AMCYC6ke8nrhOPrnbF/68HMrPHMgUtqXKakDp O1WziUzRkIOLP7hFWx7B10giMNV0D5LcCbrBXiUFEOt7ZyLf0l72V/nb X-Gm-Gg: Acq92OEANthum9xaoWpsA1I/lP1Z1RcFP3AlUTwyhVDMaZUSwzdNpDeGu4uqZbjFqnQ SH66gpsh7/ld+QfeyrqR5nqglDZXCsfsYyxp36kxUoyw3ulsfQYNl872JMvg6Eci4PhrH98eag1 ccrr354Sm2Q5el3O2/FHVg1CQRdrgyhAGRZAv3o9e8I5rpL0WzEegFZhtN9qS3RcGexNMIal3o2 Dzfi8A9D2JMmXC4/oaPWWZoF4Uytw9am450NS/kaAeaT4f1gdhoiJfaiMxzLYwOAEjw9UwtlU7n m9hjE3MVRfw3ToeUHZh2KXGH5xMhB63NZTHL8Mhrm2Uai4Lf0ZG27T2PkQEofKWPTH3tO7iL84a OD9hs4VEz7YUYQixIWUHpUjY+wm6r21PX7J/vXto7cSp7M7WfNLshA2fOzDGjyn//p0aHtNVkfe qhYb8ALdUpWLHGC//buUhbJPpB+Q8rPpp7BpNbi7br5tE6j0SjJi8lZAtcOnAZItT84i89 X-Received: by 2002:a05:7022:4193:b0:12d:de3f:d84e with SMTP id a92af1059eb24-1350494d102mr8420228c88.39.1779264005251; Wed, 20 May 2026 01:00:05 -0700 (PDT) Received: from fx.tailc0aff1.ts.net ([206.206.192.132]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-134cbcb9ed3sm26136361c88.1.2026.05.20.01.00.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 May 2026 01:00:04 -0700 (PDT) From: Weiming Shi To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: willemdebruijn.kernel@gmail.com, jasowang@redhat.com, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, cong.wang@bytedance.com, stable@vger.kernel.org, xmei5@asu.edu, Weiming Shi Subject: [PATCH] tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR Date: Wed, 20 May 2026 00:57:38 -0700 Message-ID: <20260520075736.3415676-3-bestswngs@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised. Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR. Initialise ss at declaration. Fixes: 3b23a32a6321 ("net: fix dev_ifsioc_locked() race condition") Reported-by: Xiang Mei Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Weiming Shi Reviewed-by: Willem de Bruijn --- drivers/net/tap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index b8240737dc51..e1522101b9e4 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -923,7 +923,7 @@ static long tap_ioctl(struct file *file, unsigned int c= md, unsigned int __user *up =3D argp; unsigned short u; int __user *sp =3D argp; - struct sockaddr_storage ss; + struct sockaddr_storage ss =3D {}; int s; int ret; =20 --=20 2.43.0