Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 18 Feb 2023 11:55:48 GMT
From:      "Alexander V. Chernikov" <melifaro@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 13e997289240 - stable/13 - netlink: Zero-initialize mbuf messages
Message-ID:  <202302181155.31IBtmeQ069527@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by melifaro:

URL: https://cgit.FreeBSD.org/src/commit/?id=13e997289240c4697536f904167720a29abf7a58

commit 13e997289240c4697536f904167720a29abf7a58
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-01-17 14:36:54 +0000
Commit:     Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-02-18 11:53:54 +0000

    netlink: Zero-initialize mbuf messages
    
    Some users of nlmsg_reserve_object() and nlmsg_reserve_data() are not
    careful to fully initialize pad and reserved fields, allowing
    uninitialized bytes to leak to userspace.  For example, dump_nhgrp()
    doesn't set nhm->resvd = 0.
    
    Meanwhile, nlmsg_get_ns_buf() and nlmsg_get_ns_lbuf() zero-initialize
    the buffer, so nlmsg_get_ns_mbuf() is inconsistent.  Let's just make
    them all behave the same here.
    
    Reported by:    KMSAN
    Reviewed by:    melifaro
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D38098
    
    (cherry picked from commit d91be0f1211b0196a0087cdfa237a6a0d2a43b65)
---
 sys/netlink/netlink_message_writer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/netlink/netlink_message_writer.c b/sys/netlink/netlink_message_writer.c
index 37414703c6f6..6573394eb881 100644
--- a/sys/netlink/netlink_message_writer.c
+++ b/sys/netlink/netlink_message_writer.c
@@ -215,6 +215,7 @@ nlmsg_get_ns_mbuf(struct nl_writer *nw, int size, bool waitok)
 	nw->malloc_flag = mflag;
 	nw->num_messages = 0;
 	nw->enomem = false;
+	memset(nw->data, 0, size);
         NL_LOG(LOG_DEBUG2, "alloc mbuf %p req_len %d alloc_len %d data_ptr %p",
             m, size, nw->alloc_len, nw->data);
         return (true);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302181155.31IBtmeQ069527>