On Fri Jun 12, 2026 at 5:28 PM PDT, Kuniyuki Iwashima wrote: > From: Jiayuan Chen <[email protected]> > Date: Fri, 12 Jun 2026 21:07:47 +0800 >> From: Weiming Shi <[email protected]> >> >> bpf_msg_push_data() allocates pages via alloc_pages() without >> __GFP_ZERO. In the non-copy path, the entire page of uninitialized >> heap content is added directly to the sk_msg scatterlist, which is >> then transmitted over TCP to userspace via tcp_bpf_push(). In the >> copy path, a gap of len bytes between the front and back memcpy >> regions is similarly left uninitialized. >> >> This leads to a kernel heap information leak: stale page content >> including kernel pointers from the direct-map and vmemmap regions >> is transmitted to userspace, which can be used to defeat KASLR. >> >> Add __GFP_ZERO to the alloc_pages() call to ensure the allocated >> page is always zeroed before it enters the scatterlist. >> >> Link: https://lore.kernel.org/all/[email protected] >> Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data") >> Tested-by: Xiang Mei <[email protected]> >> Tested-by: Xinyu Ma <[email protected]> >> Reviewed-by: Jiayuan Chen <[email protected]> >> Reviewed-by: Emil Tsalapatis <[email protected]> >> Signed-off-by: Weiming Shi <[email protected]> >> Signed-off-by: Jiayuan Chen <[email protected]> >> --- >> net/core/filter.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/net/core/filter.c b/net/core/filter.c >> index 3e555f276ba80..6e345ca65ca14 100644 >> --- a/net/core/filter.c >> +++ b/net/core/filter.c >> @@ -2832,7 +2832,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, >> u32, start, >> if (unlikely(copy + len < copy)) >> return -EINVAL; >> >> - page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC | __GFP_COMP, >> + page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC | __GFP_COMP | __GFP_ZERO, > > This is a red flag. > > We have a bunch of KMSAN reports due to raw/packet sockets, > which requires CAP_NET_ADMIN, and leave them unfixed although > some people attempted to "fix" them by adding __GFP_ZERO to > __alloc_skb().
yep. It's a bpf prog responsibility to avoid garbage in the payload. pw-bot: cr
