CVE-2023-53035

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix kernel-infoleak in nilfsioctlwrap_copy()

The ioctl helper function nilfsioctlwrapcopy(), which exchanges a metadata array to/from user space, may copy uninitialized buffer regions to user space memory for read-only ioctl commands NILFSIOCTLGETSUINFO and NILFSIOCTLGET_CPINFO.

This can occur when the element size of the user space metadata given by the vsize member of the argument nilfsargv structure is larger than the size of the metadata element (nilfssuinfo structure or nilfscpinfo structure) on the file system side.

KMSAN-enabled kernels detect this issue as follows:

BUG: KMSAN: kernel-infoleak in instrumentcopytouser include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in _copytouser+0xc0/0x100 lib/usercopy.c:33 instrumentcopytouser include/linux/instrumented.h:121 [inline] copytouser+0xc0/0x100 lib/usercopy.c:33 copytouser include/linux/uaccess.h:169 [inline] nilfsioctlwrapcopy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99 nilfsioctlgetinfo fs/nilfs2/ioctl.c:1173 [inline] nilfsioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfscompatioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 _docompatsysioctl fs/ioctl.c:968 [inline] _secompatsysioctl+0x7dd/0x1000 fs/ioctl.c:910 _ia32compatsysioctl+0x93/0xd0 fs/ioctl.c:910 dosyscall32irqson arch/x86/entry/common.c:112 [inline] _dofastsyscall32+0xa2/0x100 arch/x86/entry/common.c:178 dofastsyscall32+0x37/0x80 arch/x86/entry/common.c:203 doSYSENTER32+0x1f/0x30 arch/x86/entry/common.c:246 entrySYSENTERcompatafter_hwframe+0x70/0x82

Uninit was created at: _allocpages+0x9f6/0xe90 mm/pagealloc.c:5572 allocpages+0xab0/0xd80 mm/mempolicy.c:2287 _getfreepages+0x34/0xc0 mm/pagealloc.c:5599 nilfsioctlwrapcopy+0x223/0xc10 fs/nilfs2/ioctl.c:74 nilfsioctlgetinfo fs/nilfs2/ioctl.c:1173 [inline] nilfsioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfscompatioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 _docompatsysioctl fs/ioctl.c:968 [inline] _secompatsysioctl+0x7dd/0x1000 fs/ioctl.c:910 _ia32compatsysioctl+0x93/0xd0 fs/ioctl.c:910 dosyscall32irqson arch/x86/entry/common.c:112 [inline] _dofastsyscall32+0xa2/0x100 arch/x86/entry/common.c:178 dofastsyscall32+0x37/0x80 arch/x86/entry/common.c:203 doSYSENTER32+0x1f/0x30 arch/x86/entry/common.c:246 entrySYSENTERcompatafterhwframe+0x70/0x82

Bytes 16-127 of 3968 are uninitialized ...

This eliminates the leak issue by initializing the page allocated as buffer using getzeroedpage().