On Thursday 2018-05-17 12:09, Greg Kroah-Hartman wrote: >> > --- a/net/netfilter/x_tables.c >> > +++ b/net/netfilter/x_tables.c >> > @@ -1183,11 +1183,10 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) >> > * than shoot all processes down before realizing there is nothing >> > * more to reclaim. >> > */ >> > - info = kvmalloc(sz, GFP_KERNEL | __GFP_NORETRY); >> > + info = kvzalloc(sz, GFP_KERNEL | __GFP_NORETRY); >> > if (!info) >> > return NULL; >> >> I am curious, what particular path does not later overwrite the whole zone ? > >In do_ipt_get_ctl, the IPT_SO_GET_ENTRIES: option uses a len value that >can be larger than the size of the structure itself. > >Then the data is copied to userspace in copy_entries_to_user() for ipv4 >and v6, and that's where the "bad data" If the kernel incorrectly copies more bytes than it should, isn't that a sign that may be going going past the end of the info buffer? (And thus, zeroing won't truly fix the issue) And if the kernel copies too few (because it just does not have more data than userspace is requesting), what remains in the user buffer is the garbage that originally was there. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html