On Tue, Jan 21, 2025 at 11:13:38PM -0800, Xingyu Li wrote: > Hi, > > We noticed that the patch 11a4d6f67cf5 should be ported to 5.10 and > 5.15 LTS according to the bug introducing commit. Also, it can be > applied > to the latest version of these two LTS branches without conflicts. Its > bug introducing commit is f25dcc7687d4. The kernel warning and stack > trace indicate a problem when sending a SYN message in TIPC > (Transparent Inter-Process Communication). The issue arises because > `copy_from_iter()` is being called with an uninitialized `iov_iter` > structure, leading to invalid memory operations. The commit > (`f25dcc7687d4`) introduces the vulnerability by replacing the old > data copying mechanisms with the new `copy_from_iter()` function > without ensuring that the `iov_iter` structure is properly initialized > in all code paths. The patch adds initialization of `iov_iter` with > "iov_iter_kvec(&m.msg_iter, ITER_SOURCE, NULL, 0, 0);", which ensures > that even when there's no data to send, the `iov_iter` is correctly > set up, preventing the kernel warning/crash when `copy_from_iter()` is > called. This change fails to build on those older kernels, which is perhaps why it was not backported there. If you wish to see it there, please provide a working backport. thanks, greg k-h
