CVE-2021-47597

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> inet_diag: fix kernel-infoleak for UDP sockets<br /> <br /> KMSAN reported a kernel-infoleak [1], that can exploited<br /> by unpriv users.<br /> <br /> After analysis it turned out UDP was not initializing<br /> r-&gt;idiag_expires. Other users of inet_sk_diag_fill()<br /> might make the same mistake in the future, so fix this<br /> in inet_sk_diag_fill().<br /> <br /> [1]<br /> BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]<br /> BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]<br /> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670<br /> instrument_copy_to_user include/linux/instrumented.h:121 [inline]<br /> copyout lib/iov_iter.c:156 [inline]<br /> _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670<br /> copy_to_iter include/linux/uio.h:155 [inline]<br /> simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519<br /> __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425<br /> skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533<br /> skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]<br /> netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974<br /> sock_recvmsg_nosec net/socket.c:944 [inline]<br /> sock_recvmsg net/socket.c:962 [inline]<br /> sock_read_iter+0x5a9/0x630 net/socket.c:1035<br /> call_read_iter include/linux/fs.h:2156 [inline]<br /> new_sync_read fs/read_write.c:400 [inline]<br /> vfs_read+0x1631/0x1980 fs/read_write.c:481<br /> ksys_read+0x28c/0x520 fs/read_write.c:619<br /> __do_sys_read fs/read_write.c:629 [inline]<br /> __se_sys_read fs/read_write.c:627 [inline]<br /> __x64_sys_read+0xdb/0x120 fs/read_write.c:627<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slab.h:524 [inline]<br /> slab_alloc_node mm/slub.c:3251 [inline]<br /> __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974<br /> kmalloc_reserve net/core/skbuff.c:354 [inline]<br /> __alloc_skb+0x545/0xf90 net/core/skbuff.c:426<br /> alloc_skb include/linux/skbuff.h:1126 [inline]<br /> netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245<br /> __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370<br /> netlink_dump_start include/linux/netlink.h:254 [inline]<br /> inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343<br /> sock_diag_rcv_msg+0x24a/0x620<br /> netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491<br /> sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]<br /> netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345<br /> netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916<br /> sock_sendmsg_nosec net/socket.c:704 [inline]<br /> sock_sendmsg net/socket.c:724 [inline]<br /> sock_write_iter+0x594/0x690 net/socket.c:1057<br /> do_iter_readv_writev+0xa7f/0xc70<br /> do_iter_write+0x52c/0x1500 fs/read_write.c:851<br /> vfs_writev fs/read_write.c:924 [inline]<br /> do_writev+0x63f/0xe30 fs/read_write.c:967<br /> __do_sys_writev fs/read_write.c:1040 [inline]<br /> __se_sys_writev fs/read_write.c:1037 [inline]<br /> __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Bytes 68-71 of 312 are uninitialized<br /> Memory access of size 312 starts at ffff88812ab54000<br /> Data copied to user address 0000000020001440<br /> <br /> CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011