diff options
| author | Yasuaki Torimaru <yasuakitorimaru@gmail.com> | 2026-03-26 14:58:00 +0900 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2026-03-30 07:47:32 +0200 |
| commit | 71a98248c63c535eaa4d4c22f099b68d902006d0 (patch) | |
| tree | c4e5d02e8794d98f5e24b311911309fc5075a484 /tools/perf/scripts/python/bin/stackcollapse-record | |
| parent | c4ea7d8907cf72b259bf70bd8c2e791e1c4ff70f (diff) | |
xfrm: clear trailing padding in build_polexpire()
build_expire() clears the trailing padding bytes of struct
xfrm_user_expire after setting the hard field via memset_after(),
but the analogous function build_polexpire() does not do this for
struct xfrm_user_polexpire.
The padding bytes after the __u8 hard field are left
uninitialized from the heap allocation, and are then sent to
userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,
leaking kernel heap memory contents.
Add the missing memset_after() call, matching build_expire().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'tools/perf/scripts/python/bin/stackcollapse-record')
0 files changed, 0 insertions, 0 deletions