lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1375880841-12959-1-git-send-email-olaf@aepfle.de>
Date:	Wed,  7 Aug 2013 15:07:21 +0200
From:	Olaf Hering <olaf@...fle.de>
To:	kys@...rosoft.com, gregkh@...uxfoundation.org
Cc:	linux-kernel@...r.kernel.org, Olaf Hering <olaf@...fle.de>
Subject: [PATCH] Tools: hv: correct payload size in netlink_send

netlink_send is supposed to send just the cn_msg+hv_kvp_msg via netlink.
Currently it sets an incorrect iovec size, as reported by valgrind.

In the case of registering with the kernel the allocated buffer is large
enough to hold nlmsghdr+cn_msg+hv_kvp_msg, no overrun happens. In the
case of responding to the kernel the cn_msg is located in the middle of
recv_buffer, after the nlmsghdr. Currently the code in netlink_send adds
also the size of nlmsghdr to the payload. But nlmsghdr is a separate
iovec. This leads to an (harmless) out-of-bounds access when the kernel
processes the iovec. Correct the iovec size of the cn_msg to be just
cn_msg + its payload.

Signed-off-by: Olaf Hering <olaf@...fle.de>
---
 tools/hv/hv_kvp_daemon.c | 2 +-
 tools/hv/hv_vss_daemon.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c
index d3bcb84..1bd1ad1 100644
--- a/tools/hv/hv_kvp_daemon.c
+++ b/tools/hv/hv_kvp_daemon.c
@@ -1399,7 +1399,7 @@ netlink_send(int fd, struct cn_msg *msg)
 	char buffer[64];
 	struct iovec iov[2];
 
-	size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);
+	size = sizeof(struct cn_msg) + msg->len;
 
 	nlh = (struct nlmsghdr *)buffer;
 	nlh->nlmsg_seq = 0;
diff --git a/tools/hv/hv_vss_daemon.c b/tools/hv/hv_vss_daemon.c
index 6b4f2fa..2f1f53f 100644
--- a/tools/hv/hv_vss_daemon.c
+++ b/tools/hv/hv_vss_daemon.c
@@ -111,7 +111,7 @@ static int netlink_send(int fd, struct cn_msg *msg)
 	char buffer[64];
 	struct iovec iov[2];
 
-	size = NLMSG_SPACE(sizeof(struct cn_msg) + msg->len);
+	size = sizeof(struct cn_msg) + msg->len;
 
 	nlh = (struct nlmsghdr *)buffer;
 	nlh->nlmsg_seq = 0;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ