summaryrefslogtreecommitdiff
path: root/net/key
diff options
context:
space:
mode:
authorHaimin Zhang <tcs_kernel@tencent.com>2022-03-08 11:20:28 +0800
committerSteffen Klassert <steffen.klassert@secunet.com>2022-03-10 07:39:47 +0100
commit9a564bccb78a76740ea9d75a259942df8143d02c (patch)
treeaf80e6330dcdb8be70d1d8e8059ad2d537780815 /net/key
parent5f147476057832b8f87461ff6da35b5d2e1c2c29 (diff)
af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register to initialize the buffer of supp_skb to fix a kernel-info-leak issue. 1) Function pfkey_register calls compose_sadb_supported to request a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then compose_sadb_supported treats the memory as a struct sadb_supported and begins to initialize. But it just initializes the field sadb_supported_len and field sadb_supported_exttype without field sadb_supported_reserved. Reported-by: TCS Robot <tcs_robot@tencent.com> Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/key')
-rw-r--r--net/key/af_key.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 9bf52a09b5ff..fd51db3be91c 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1699,7 +1699,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad
xfrm_probe_algs();
- supp_skb = compose_sadb_supported(hdr, GFP_KERNEL);
+ supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO);
if (!supp_skb) {
if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC)
pfk->registered &= ~(1<<hdr->sadb_msg_satype);