diff mbox series

[v2] net: fix uninit value error in __sys_sendmmsg

Message ID 20200913110313.4239-1-anant.thazhemadam@gmail.com
State New
Headers show
Series [v2] net: fix uninit value error in __sys_sendmmsg | expand

Commit Message

Anant Thazhemadam Sept. 13, 2020, 11:03 a.m. UTC 
The crash report indicated that there was a local variable;
----iovstack.i@__sys_sendmmsg created at:
 ___sys_sendmsg net/socket.c:2388 [inline]
 __sys_sendmmsg+0x6db/0xc90 net/socket.c:2480

 that was left uninitialized.

Initializing this stack to 0s prevents this bug from happening.
Since the memory pointed to by *iov is freed at the end of the function
call, memory leaks are not likely to be an issue.

syzbot seems to have triggered this error by passing an array of 0's as
a parameter while making the system call.

Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com
Tested-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
---
Changes from v1:
	* Fixed the build warning that v1 had introduced
 net/socket.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Anant Thazhemadam Sept. 14, 2020, 8:14 a.m. UTC | #1 
On 13/09/20 4:33 pm, Anant Thazhemadam wrote:
> The crash report indicated that there was a local variable;
> ----iovstack.i@__sys_sendmmsg created at:
>  ___sys_sendmsg net/socket.c:2388 [inline]
>  __sys_sendmmsg+0x6db/0xc90 net/socket.c:2480
>
>  that was left uninitialized.
>
> Initializing this stack to 0s prevents this bug from happening.
> Since the memory pointed to by *iov is freed at the end of the function
> call, memory leaks are not likely to be an issue.
>
> syzbot seems to have triggered this error by passing an array of 0's as
> a parameter while making the system call.
>
> Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com
> Tested-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
> ---
> Changes from v1:
> 	* Fixed the build warning that v1 had introduced
>  net/socket.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/net/socket.c b/net/socket.c
> index 0c0144604f81..1e6f9b54982c 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -2398,6 +2398,7 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
>  	struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
>  	ssize_t err;
>  
> +	memset(iov, 0, UIO_FASTIOV);
>  	msg_sys->msg_name = &address;
>  
>  	err = sendmsg_copy_msghdr(msg_sys, msg, flags, &iov);
It has since been determined that this patch is incorrect, and even if it were correct,
provides a huge performance overhead, that is not welcome. Kindly ignore this patch.
Sorry.

Thanks,
Anant
diff mbox series

Patch

diff --git a/net/socket.c b/net/socket.c
index 0c0144604f81..1e6f9b54982c 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2398,6 +2398,7 @@  static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
 	struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
 	ssize_t err;
 
+	memset(iov, 0, UIO_FASTIOV);
 	msg_sys->msg_name = &address;
 
 	err = sendmsg_copy_msghdr(msg_sys, msg, flags, &iov);