lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 07 Apr 2013 16:31:17 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	minipli@...glemail.com
Cc:	netdev@...r.kernel.org, allan.stephens@...driver.com,
	aloisio.almeida@...nbossa.org, acking@...are.com,
	acme@...stprotocols.net, dtor@...are.com, georgezhang@...are.com,
	gustavo@...ovan.org, johan.hedberg@...il.com,
	jon.maloy@...csson.com, lauro.venancio@...nbossa.org,
	marcel@...tmann.org, ralf@...ux-mips.org, sameo@...ux.intel.com,
	samuel@...tiz.org, sjur.brandeland@...ricsson.com,
	ursula.braun@...ibm.com, spender@...ecurity.net
Subject: Re: [PATCH 00/16] info leak fixes in recvmsg

From: Mathias Krause <minipli@...glemail.com>
Date: Sun,  7 Apr 2013 13:51:46 +0200

> a few more info leak fixes in the recvmsg path. The error pattern here
> is the protocol specific recvmsg function is missing the msg_namelen
> assignment -- either completely or in early exit paths that do not
> result in errors in __sys_recvmsg()/sys_recvfrom() and, in turn, make
> them call move_addr_to_user(), leaking the then still uninitialized
> sockaddr_storage stack variable to userland.
> 
> My audit was initiated by a rather coarse fix of the leak that can be
> found in the grsecurity patch, putting a penalty on protocols complying
> to the rules of recvmsg. So credits for finding the leak in the recvmsg
> path in __sys_recvmsg() should go to Brad!
> 
> The buggy protocols/subsystems are rather obscure anyway. As a missing
> assignment of msg_namelen coupled with a missing filling of msg_name
> would only result in garbage -- the leak -- in case userland would care
> about that information, i.e. would provide a msg_name pointer. But
> obviously current userland does not.
> 
> While auditing the code for the above pattern I found a few more
> 'uninitialized members' kind of leaks related to the msg_name filling.
> Those are fixed in this series, too.
> 
> I have to admit, I failed to test all of the patches due to missing
> hardware, e.g. iucv depends on S390 -- hardware I've no access to :/

All applied and queued up for -stable, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ