lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 02 Nov 2010 14:28:23 -0400 From: Dan Rosenberg <drosenberg@...curity.com> To: socketcan@...tkopp.net, oliver.hartkopp@...kswagen.de, urs.thuermann@...kswagen.de Cc: netdev@...r.kernel.org, security@...nel.org Subject: [SECURITY] CAN info leak/minor heap overflow In bcm_connect() (in net/can/bcm.c), I noticed the following code: sprintf(bo->procname, "%p", sock); "procname" is a 9-byte char array. This code is wrong on two levels. First, leaking a kernel address via a /proc filename is bad. Secondly, on 64-bit platforms, up to 17 bytes may be copied into the buffer. Fortunately, structure padding will most likely prevent this from being a problem, except for the trailing NULL byte, which may overwrite the first byte of the next heap object. Please name your procfile in a way that doesn't leak information and fits into the desired name buffer. -Dan -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists