| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 07 Jun 2013 07:22:47 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: Willy Tarreau <w@....eu>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Jon Maloy <jon.maloy@...csson.com>,
Allan Stephens <allan.stephens@...driver.com>,
Mathias Krause <minipli@...glemail.com>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [ 184/184] tipc: fix info leaks via msg_name in
On Tue, 2013-06-04 at 19:24 +0200, Willy Tarreau wrote:
> 2.6.32-longterm review patch. If anyone has any objections, please let me know.
>
> ------------------
> recv_msg/recv_stream
>
> From: Mathias Krause <minipli@...glemail.com>
commit 60085c3d009b0df252547adb336d1ccca5ce52ec upstream.
> The code in set_orig_addr() does not initialize all of the members of
> struct sockaddr_tipc when filling the sockaddr info -- namely the union
> is only partly filled. This will make recv_msg() and recv_stream() --
> the only users of this function -- leak kernel stack memory as the
> msg_name member is a local variable in net/socket.c.
>
> Additionally to that both recv_msg() and recv_stream() fail to update
> the msg_namelen member to 0 while otherwise returning with 0, i.e.
> "success". This is the case for, e.g., non-blocking sockets. This will
> lead to a 128 byte kernel stack leak in net/socket.c.
>
> Fix the first issue by initializing the memory of the union with
> memset(0). Fix the second one by setting msg_namelen to 0 early as it
> will be updated later if we're going to fill the msg_name member.
>
> Cc: Jon Maloy <jon.maloy@...csson.com>
> Cc: Allan Stephens <allan.stephens@...driver.com>
> Signed-off-by: Mathias Krause <minipli@...glemail.com>
> Signed-off-by: David S. Miller <davem@...emloft.net>
> [dannf: backported to Debian's 2.6.32]
> Signed-off-by: Willy Tarreau <w@....eu>
> ---
> net/tipc/socket.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/net/tipc/socket.c b/net/tipc/socket.c
> index 8ebf4975..eccb86b 100644
> --- a/net/tipc/socket.c
> +++ b/net/tipc/socket.c
> @@ -800,6 +800,7 @@ static void set_orig_addr(struct msghdr *m, struct tipc_msg *msg)
> if (addr) {
> addr->family = AF_TIPC;
> addr->addrtype = TIPC_ADDR_ID;
> + memset(&addr->addr, 0, sizeof(addr->addr));
> addr->addr.id.ref = msg_origport(msg);
> addr->addr.id.node = msg_orignode(msg);
> addr->addr.name.domain = 0; /* could leave uninitialized */
> @@ -916,6 +917,9 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
> goto exit;
> }
>
> + /* will be updated in set_orig_addr() if needed */
> + m->msg_namelen = 0;
> +
> restart:
>
> /* Look for a message in receive queue; wait if necessary */
> @@ -1049,6 +1053,9 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
> goto exit;
> }
>
> + /* will be updated in set_orig_addr() if needed */
> + m->msg_namelen = 0;
> +
> restart:
>
> /* Look for a message in receive queue; wait if necessary */
--
Ben Hutchings
Theory and practice are closer in theory than in practice.
- John Levine, moderator of comp.compilers
Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)
Powered by blists - more mailing lists