__bpfilter_process_sockopt never initialized the pos variable passed to
the pipe write. This has been mostly harmless in the past as pipes
ignore the offset, but the switch to kernel_write no verified the
position, which can lead to a failure depending on the exact stack
initialization patter. Initialize the variable to zero to make
rw_verify_area happy.
Fixes: 6955a76fbcd5 ("bpfilter: switch to kernel_write")
Reported-by: Christian Brauner <christian.brau...@ubuntu.com>
Reported-by: Rodrigo Madera <rodrigo.mad...@gmail.com>
Signed-off-by: Christoph Hellwig <h...@lst.de>
Tested-by: Rodrigo Madera <rodrigo.mad...@gmail.com>
---
net/bpfilter/bpfilter_kern.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c
index 1905e01c3aa9a7..4494ea6056cdb8 100644
--- a/net/bpfilter/bpfilter_kern.c
+++ b/net/bpfilter/bpfilter_kern.c
@@ -39,7 +39,7 @@ static int __bpfilter_process_sockopt(struct sock *sk, int
optname,
{
struct mbox_request req;
struct mbox_reply reply;
- loff_t pos;
+ loff_t pos = 0;
ssize_t n;
int ret = -EFAULT;
--
2.27.0
