xfrm_user: fix info leak in build_report()

struct xfrm_user_report is a __u8 proto field followed by a struct xfrm_selector which means there is three "empty" bytes of padding, but the padding is never zeroed before copying to userspace. Fix that up by zeroing the structure before setting individual member variables. Cc: stable <stable@kernel.org> Cc: Steffen Klassert <steffen.klassert@secunet.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: Simon Horman <horms@kernel.org> Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-04-06 17:34:22 +0200
committer: Steffen Klassert <steffen.klassert@secunet.com> 2026-04-07 10:36:38 +0200
commit: d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 (patch)
tree: 547f11d5afd1489fd3ab513f6fe315d6927acbac /net
parent: 1beb76b2053b68c491b78370794b8ff63c8f8c02 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index baa43c325da2..d56450f61669 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -4125,6 +4125,7 @@ static int build_report(struct sk_buff *skb, u8 proto,
 		return -EMSGSIZE;
 
 	ur = nlmsg_data(nlh);
+	memset(ur, 0, sizeof(*ur));
 	ur->proto = proto;
 	memcpy(&ur->sel, sel, sizeof(ur->sel));
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-04-06 17:34:22 +0200
committer	Steffen Klassert <steffen.klassert@secunet.com>	2026-04-07 10:36:38 +0200
commit	d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 (patch)
tree	547f11d5afd1489fd3ab513f6fe315d6927acbac /net
parent	1beb76b2053b68c491b78370794b8ff63c8f8c02 (diff)