net/bpfilter: Initialize pos in __bpfilter_process_sockopt

Christoph Hellwig · borkmann · commit 4f010246b408 · 2020-07-31T01:07:32.000+02:00
__bpfilter_process_sockopt never initialized the pos variable passed to the pipe write. This has been mostly harmless in the past as pipes ignore the offset, but the switch to kernel_write now verified the position, which can lead to a failure depending on the exact stack initialization pattern. Initialize the variable to zero to make rw_verify_area happy. Fixes: 6955a76 ("bpfilter: switch to kernel_write") Reported-by: Christian Brauner <christian.brauner@ubuntu.com> Reported-by: Rodrigo Madera <rodrigo.madera@gmail.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: Rodrigo Madera <rodrigo.madera@gmail.com> Tested-by: Christian Brauner <christian.brauner@ubuntu.com> Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/bpf/20200730160900.187157-1-hch@lst.de
diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c
@@ -39,7 +39,7 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
 {
 	struct mbox_request req;
 	struct mbox_reply reply;
-	loff_t pos;
+	loff_t pos = 0;
 	ssize_t n;
 	int ret = -EFAULT;
 

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,`
`39`	`39`	`{`
`40`	`40`	`struct mbox_request req;`
`41`	`41`	`struct mbox_reply reply;`
`42`		`- loff_t pos;`
	`42`	`+ loff_t pos = 0;`
`43`	`43`	`ssize_t n;`
`44`	`44`	`int ret = -EFAULT;`
`45`	`45`