Re: [PATCH v1] VSOCK: fix Information Leak in virtio_transport_shutdown()

henry martin <bsdhenrymartin@xxxxxxxxx> · Tue, 5 Aug 2025 16:53:03 +0800

Thanks for the quick review. You're right—this patch is a false
positive. Modern compilers zero out the remaining fields, so the fix
isn't needed.

I'll be withdrawing all the patches and will ensure we more carefully
evaluate our robot's findings before submitting in the future.

Thanks for your help!

Stefano Garzarella <sgarzare@xxxxxxxxxx> 于2025年8月5日周二 15:01写道：
>
> On Tue, Aug 05, 2025 at 01:10:09PM +0800, bsdhenrymartin@xxxxxxxxx wrote:
> >From: Henry Martin <bsdhenryma@xxxxxxxxxxx>
> >
> >The `struct virtio_vsock_pkt_info` is declared on the stack but only
> >partially initialized (only `op`, `flags`, and `vsk` are set)
> >
> >The uninitialized fields (including `pkt_len`, `remote_cid`,
> >`remote_port`, etc.) contain residual kernel stack data. This structure
> >is passed to `virtio_transport_send_pkt_info()`, which uses the
> >uninitialized fields.
> >
> >Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
> >Reported-by: TCS Robot <tcs_robot@xxxxxxxxxxx>
> >Signed-off-by: Henry Martin <bsdhenryma@xxxxxxxxxxx>
> >---
> > net/vmw_vsock/virtio_transport_common.c | 15 +++++++--------
> > 1 file changed, 7 insertions(+), 8 deletions(-)
> >
> >diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
> >index fe92e5fa95b4..cb391a98d025 100644
> >--- a/net/vmw_vsock/virtio_transport_common.c
> >+++ b/net/vmw_vsock/virtio_transport_common.c
> >@@ -1073,14 +1073,14 @@ EXPORT_SYMBOL_GPL(virtio_transport_connect);
> >
> > int virtio_transport_shutdown(struct vsock_sock *vsk, int mode)
> > {
> >-      struct virtio_vsock_pkt_info info = {
> >-              .op = VIRTIO_VSOCK_OP_SHUTDOWN,
> >-              .flags = (mode & RCV_SHUTDOWN ?
> >-                        VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
> >-                       (mode & SEND_SHUTDOWN ?
> >-                        VIRTIO_VSOCK_SHUTDOWN_SEND : 0),
> >-              .vsk = vsk,
> >-      };
>
> The compiler sets all other fields to 0, so I don't understand what this
> patch solves.
> Can you give an example of the problem you found?
>
> Furthermore, even if this fix were valid, why do it for just one
> function?
>
> Stefano
>
> >+      struct virtio_vsock_pkt_info info = {0};
> >+
> >+      info.op = VIRTIO_VSOCK_OP_SHUTDOWN;
> >+      info.flags = (mode & RCV_SHUTDOWN ?
> >+                      VIRTIO_VSOCK_SHUTDOWN_RCV : 0) |
> >+                      (mode & SEND_SHUTDOWN ?
> >+                      VIRTIO_VSOCK_SHUTDOWN_SEND : 0);
> >+      info.vsk = vsk;
> >
> >       return virtio_transport_send_pkt_info(vsk, &info);
> > }
> >--
> >2.41.3
> >
>