| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 9 Dec 2012 22:40:34 -0500 From: Neal Cardwell <ncardwell@...gle.com> To: David Miller <davem@...emloft.net> Cc: Eric Dumazet <edumazet@...gle.com>, Netdev <netdev@...r.kernel.org> Subject: Re: [PATCH net 1/3] inet_diag: fix oops for IPv4 AF_INET6 TCP SYN-RECV state On Sun, Dec 9, 2012 at 7:01 PM, David Miller <davem@...emloft.net> wrote: > From: Neal Cardwell <ncardwell@...gle.com> > Date: Sun, 9 Dec 2012 00:43:21 -0500 > >> Fix inet_diag to be aware of the fact that AF_INET6 TCP connections >> instantiated for IPv4 traffic and in the SYN-RECV state were actually >> created with inet_reqsk_alloc(), instead of inet6_reqsk_alloc(). This >> means that for such connections inet6_rsk(req) returns a pointer to a >> random spot in memory up to roughly 64KB beyond the end of the >> request_sock. >> >> With this bug, for a server using AF_INET6 TCP sockets and serving >> IPv4 traffic, an inet_diag user like `ss state SYN-RECV` would lead to >> inet_diag_fill_req() causing an oops or the export to user space of 16 >> bytes of kernel memory as a garbage IPv6 address, depending on where >> the garbage inet6_rsk(req) pointed. >> >> Signed-off-by: Neal Cardwell <ncardwell@...gle.com> > > Applied. Thanks, David. neal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists