From: Henry Martin <bsdhenryma@xxxxxxxxxxx>
The `struct virtio_vsock_pkt_info` is declared on the stack but only
partially initialized (only `op`, `flags`, and `vsk` are set)
The uninitialized fields (including `pkt_len`, `remote_cid`,
`remote_port`, etc.) contain residual kernel stack data. This structure
is passed to `virtio_transport_send_pkt_info()`, which uses the
uninitialized fields.
Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
Reported-by: TCS Robot <tcs_robot@xxxxxxxxxxx>
Signed-off-by: Henry Martin <bsdhenryma@xxxxxxxxxxx>
---
net/vmw_vsock/virtio_transport_common.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index fe92e5fa95b4..cb391a98d025 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1073,14 +1073,14 @@ EXPORT_SYMBOL_GPL(virtio_transport_connect);
int virtio_transport_shutdown(struct vsock_sock *vsk, int mode)
{
- struct virtio_vsock_pkt_info info = {
- .op = VIRTIO_VSOCK_OP_SHUTDOWN,
- .flags = (mode & RCV_SHUTDOWN ?
- VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
- (mode & SEND_SHUTDOWN ?
- VIRTIO_VSOCK_SHUTDOWN_SEND : 0),
- .vsk = vsk,
- };
+ struct virtio_vsock_pkt_info info = {0};
+
+ info.op = VIRTIO_VSOCK_OP_SHUTDOWN;
+ info.flags = (mode & RCV_SHUTDOWN ?
+ VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
+ (mode & SEND_SHUTDOWN ?
+ VIRTIO_VSOCK_SHUTDOWN_SEND : 0);
+ info.vsk = vsk;
return virtio_transport_send_pkt_info(vsk, &info);
}
--
2.41.3
