From nobody Mon Jun 8 04:25:57 2026 Received: from n169-113.mail.139.com (n169-113.mail.139.com [120.232.169.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 01CE03B961E; Tue, 2 Jun 2026 07:35:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=120.232.169.113 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780385760; cv=none; b=guBYe176JaeuKzgK+7WVcPXLVHmH4/SYEC/0kFuHLvIUsSjQA5lqNEvSLlVIGus+3fgE2zFZL9SdDmL9Mo39SwixzdkxqoyI6+XsmRSTUKjXH9OJ4EakfTaSoDAR/x3et91ZNqfx2FlPTU86kahbrBgHV9YN4uQRU3n19IAZqqU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780385760; c=relaxed/simple; bh=pLEfHZNvAF9/PmH+wx73e5NhMMHYZycxnQbc3+9MI/g=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=eOFO8F6g8/BfV16x50IbByZb8Aoyz1SEf0NLc/L/ukIkgUMXxXt3l+MfbRS03OqYuMMAYXYLaHfxUfQ6RWLxpkcl7Ubo7/BUBJLUdBFblU4w1I/4fil9GcxaKQT3Q+8u2rossNRTuKff6A8bBaBtmzXcuMiz7tSFkrT4IJWPQK8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=139.com; spf=pass smtp.mailfrom=139.com; dkim=pass (1024-bit key) header.d=139.com header.i=@139.com header.b=J4D1nSh7; arc=none smtp.client-ip=120.232.169.113 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=139.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=139.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=139.com header.i=@139.com header.b="J4D1nSh7" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=139.com; s=dkim; l=0; h=from:subject:message-id:to:cc:mime-version; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=J4D1nSh7ll80Vo/N3VWj1IDQ5r7dYbfP7r8ydgTopJl0erp4aY/8por+7uZJASpv6Iu1lszTz4LYq Gf8Xissb+V4gfyG5JO3dvuuhYrYWtEg7T4AMfHUAooLJx7D/VMT9Khatbfx2NJi74mGtOpDhMIgiu7 80y0koRr2hnBFj0Q= X-RM-TagInfo: emlType=0 X-RM-SPAM: X-RM-SPAM-FLAG: 00000000 Received: from NTT-kernel-dev (unknown[60.247.85.88]) by rmsmtp-lg-appmail-35-12049 (RichMail) with SMTP id 2f116a1e87cece3-03d2a; Tue, 02 Jun 2026 15:35:49 +0800 (CST) X-RM-TRANSID: 2f116a1e87cece3-03d2a From: Li hongliang <1468888505@139.com> To: gregkh@linuxfoundation.org, stable@vger.kernel.org, jk@codeconstruct.com.au Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, matt@codeconstruct.com.au, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netdev@vger.kernel.org Subject: [PATCH 6.12.y] net: mctp: ensure our nlmsg responses are initialised Date: Tue, 2 Jun 2026 15:35:48 +0800 Message-Id: <20260602073548.2906967-1-1468888505@139.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jeremy Kerr [ Upstream commit a6a9bc544b675d8b5180f2718ec985ad267b5cbf ] Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from DEVCORE Research Team working with Trend Micro Zero Day Initiative report that a RTM_GETNEIGH will return uninitalised data in the pad bytes of the ndmsg data. Ensure we're initialising the netlink data to zero, in the link, addr and neigh response messages. Fixes: 831119f88781 ("mctp: Add neighbour netlink interface") Fixes: 06d2f4c583a7 ("mctp: Add netlink route management") Fixes: 583be982d934 ("mctp: Add device handling and netlink interface") Signed-off-by: Jeremy Kerr Reviewed-by: Simon Horman Link: https://patch.msgid.link/20260209-dev-mctp-nlmsg-v1-1-f1e30c346a43@co= deconstruct.com.au Signed-off-by: Jakub Kicinski Signed-off-by: Li hongliang <1468888505@139.com> --- net/mctp/device.c | 1 + net/mctp/neigh.c | 1 + net/mctp/route.c | 1 + 3 files changed, 3 insertions(+) diff --git a/net/mctp/device.c b/net/mctp/device.c index 8d1386601bbe..67576cb2728e 100644 --- a/net/mctp/device.c +++ b/net/mctp/device.c @@ -70,6 +70,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb, return -EMSGSIZE; =20 hdr =3D nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ifa_family =3D AF_MCTP; hdr->ifa_prefixlen =3D 0; hdr->ifa_flags =3D 0; diff --git a/net/mctp/neigh.c b/net/mctp/neigh.c index 590f642413e4..c0151a69d2b7 100644 --- a/net/mctp/neigh.c +++ b/net/mctp/neigh.c @@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 por= tid, u32 seq, int event, return -EMSGSIZE; =20 hdr =3D nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->ndm_family =3D AF_MCTP; hdr->ndm_ifindex =3D dev->ifindex; hdr->ndm_state =3D 0; // TODO other state bits? diff --git a/net/mctp/route.c b/net/mctp/route.c index ccba2abbbbfb..35a0681123a3 100644 --- a/net/mctp/route.c +++ b/net/mctp/route.c @@ -1405,6 +1405,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, stru= ct mctp_route *rt, return -EMSGSIZE; =20 hdr =3D nlmsg_data(nlh); + memset(hdr, 0, sizeof(*hdr)); hdr->rtm_family =3D AF_MCTP; =20 /* we use the _len fields as a number of EIDs, rather than --=20 2.34.1