From: Jiayuan Chen <[email protected]> Date: Fri, 12 Jun 2026 21:07:47 +0800 > From: Weiming Shi <[email protected]> > > bpf_msg_push_data() allocates pages via alloc_pages() without > __GFP_ZERO. In the non-copy path, the entire page of uninitialized > heap content is added directly to the sk_msg scatterlist, which is > then transmitted over TCP to userspace via tcp_bpf_push(). In the > copy path, a gap of len bytes between the front and back memcpy > regions is similarly left uninitialized. > > This leads to a kernel heap information leak: stale page content > including kernel pointers from the direct-map and vmemmap regions > is transmitted to userspace, which can be used to defeat KASLR. > > Add __GFP_ZERO to the alloc_pages() call to ensure the allocated > page is always zeroed before it enters the scatterlist. > > Link: https://lore.kernel.org/all/[email protected] > Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data") > Tested-by: Xiang Mei <[email protected]> > Tested-by: Xinyu Ma <[email protected]> > Reviewed-by: Jiayuan Chen <[email protected]> > Reviewed-by: Emil Tsalapatis <[email protected]> > Signed-off-by: Weiming Shi <[email protected]> > Signed-off-by: Jiayuan Chen <[email protected]> > --- > net/core/filter.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/core/filter.c b/net/core/filter.c > index 3e555f276ba80..6e345ca65ca14 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -2832,7 +2832,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_msg *, msg, > u32, start, > if (unlikely(copy + len < copy)) > return -EINVAL; > > - page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC | __GFP_COMP, > + page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC | __GFP_COMP | __GFP_ZERO,
This is a red flag. We have a bunch of KMSAN reports due to raw/packet sockets, which requires CAP_NET_ADMIN, and leave them unfixed although some people attempted to "fix" them by adding __GFP_ZERO to __alloc_skb(). > get_order(copy + len)); > if (unlikely(!page)) > return -ENOMEM; > -- > 2.43.0
