| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 31 Aug 2008 00:29:28 +0400
From: Cyrill Gorcunov <gorcunov@...il.com>
To: Vegard Nossum <vegard.nossum@...il.com>
Cc: Tom Tucker <tom@...ngridcomputing.com>, Neil Brown <neilb@...e.de>,
Chuck Lever <chuck.lever@...cle.com>, Greg Banks <gnb@....com>,
"J. Bruce Fields" <bfields@...i.umich.edu>,
linux-kernel@...r.kernel.org
Subject: Re: buffer overflow in /proc/sys/sunrpc/transports
[Vegard Nossum - Sat, Aug 30, 2008 at 10:13:23PM +0200]
| On Sat, Aug 30, 2008 at 10:04 PM, Cyrill Gorcunov <gorcunov@...il.com> wrote:
| > [Vegard Nossum - Sat, Aug 30, 2008 at 09:59:38PM +0200]
| > | On Sat, Aug 30, 2008 at 9:56 PM, Cyrill Gorcunov <gorcunov@...il.com> wrote:
| > | > | BTW, look at this:
| > | > |
| > | > | $ od -A x -t x1z /proc/sys/sunrpc/transports
| > | > | 000000 74 63 70 20 31 30 34 38 35 37 36 0a 75 64 70 20 >tcp 1048576.udp <
| > | > | 000010 33 32 37 36 38 0a 00 00 00 00 00 00 00 00 00 00 >32768...........<
| > | > | 000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >................<
| > | > | *
| > | > | 0003e0 00 00 00 00 00 00 00 00 00 00 >..........<
| > | > | 0003ea
| > | > |
| > | > | ...and:
| > | > |
| > | > | $ strace -e trace=read cat /proc/sys/sunrpc/transports > /dev/null
| > | > | read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@G\316E4\0\0\0"...,
| > | > | 512) = 512
| > | > | read(3, "tcp 1048576\nudp 32768\n\0\0\0\0\0\0\0\0\0\0"..., 4096) = 4074
| > | > | read(3, "", 4096) = 0
| > | > |
| > | > | ...why does it have a huge return value? The output is only about 40
| > | > | bytes... why add all the \0? Would your patch also fix this?
| > | >
| > | > I think it's from strace side - it pass 4096 zero'ed buffer.
| > |
| > | "cat" passed buffer of size 4096, yes. But read() still returned 4074.
| > | It should have returned 38 or so.
| > |
| > | > At least I don't see additional issues from kernel side in buffer
| > | > filling - except from svc_print_xprts() which walk over list.
| > | > But I think sunpc guys should know details :)
| > | > Will send short-fix patch soon :)
| > |
| > | It looks like it's returning (sizeof(buffer) - x) where it really
| > | should be returning x. Maybe it's this one that should be different?
| > |
| > | *lenp -= len;
| > |
| >
| > yes, but this is just a side effect, if we fix main error - it should
| > resolve this problem too. Did you try the fix I sent a few msgs ago?
| > (I don't have sunrpc on my machine)
|
| Sorry, I did it now :-)
|
| $ uname -a
| Linux grianne 2.6.27-rc5-00006-gbef69ea-dirty #4 SMP PREEMPT Sat
| Aug 30 22:07:18 CEST 2008 i686 i686 i386 GNU/Linux
|
| $ strace -e trace=read cat /proc/sys/sunrpc/transports > /dev/null
| read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320
| \265\0004\0\0\0"..., 512) = 512
| read(3, "tcp 1048576\nudp 32768\n\0\0\0\0\0\0\0\0\0\0"..., 4096) = 4074
| read(3, "", 4096) = 0
|
| So that problem seems to remain.
|
|
| Vegard
Vegard, are you sure you test it with this patch (a bit updated)?
|
| --
| "The animistic metaphor of the bug that maliciously sneaked in while
| the programmer was not looking is intellectually dishonest as it
| disguises that the error is the programmer's own creation."
| -- E. W. Dijkstra, EWD1036
|
- Cyrill -
---
Index: linux-2.6.git/net/sunrpc/sysctl.c
===================================================================
--- linux-2.6.git.orig/net/sunrpc/sysctl.c 2008-07-20 11:40:14.000000000 +0400
+++ linux-2.6.git/net/sunrpc/sysctl.c 2008-08-31 00:19:42.000000000 +0400
@@ -69,9 +69,10 @@ static int proc_do_xprt(ctl_table *table
return -EINVAL;
else {
len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
+ if (*lenp < len)
+ len = *lenp;
if (!access_ok(VERIFY_WRITE, buffer, len))
return -EFAULT;
-
if (__copy_to_user(buffer, tmpbuf, len))
return -EFAULT;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists