On Fri, Feb 04, 2022 at 07:55:59PM -0400, Jason Gunthorpe wrote: > On Fri, Feb 04, 2022 at 01:00:36PM +0300, Dan Carpenter wrote: > > From: Haimin Zhang <tcs.kernel@xxxxxxxxx> > > > > The ib_copy_ah_attr_to_user() function only initializes "resp.grh" if > > the "resp.is_global" flag is set. Unfortunately, this data is copied to > > the user and copying uninitialized stack data to the user is an > > information leak. Zero out the whole "resp" struct to be safe. > > Hasn't this already been fixed, and more comprehensively too? > > commit b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd > Author: Leon Romanovsky <leon@xxxxxxxxxx> > Date: Tue Jan 4 14:21:52 2022 +0200 > > RDMA/core: Don't infoleak GRH fields > > If dst->is_global field is not set, the GRH fields are not cleared > and the following infoleak is reported. > > Jason That does fix the bug. It's unfortunate that Haimin Zhang doesn't get the reported by tag on this. That was my screw up. Sorry. regards, dan carpenter
