Re: [PATCH] tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net v2] selftests: net: Fix checksums in xdp_native"
Previous message: Jens Remus: "[PATCH v16 04/20] x86/uaccess: Add unsafe_copy_from_user() implementation"
In reply to: Willem de Bruijn: "Re: [PATCH] tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Thu May 21 2026 - 12:01:31 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Wed, 20 May 2026 00:57:38 -0700 you wrote:
> In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an
> uninitialised on-stack struct sockaddr_storage to userspace via
> ifr_hwaddr, but netif_get_mac_address() only writes sa_family and
> dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised.
>
> Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a
> macvtap chardev returns kernel .text and direct-map pointers, defeating
> KASLR.
>
> [...]

Here is the summary with links:
- tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
https://git.kernel.org/netdev/net/c/bddc09212c24

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html