| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Feb 2014 13:59:54 +0100
From: Jan Kara <jack@...e.cz>
To: Vegard Nossum <vegard.nossum@...cle.com>
Cc: Jan Kara <jack@...e.cz>, LKML <linux-kernel@...r.kernel.org>
Subject: Re: inotify cookie regression/info leak in latest mainline
Hello,
On Sat 15-02-14 22:39:38, Vegard Nossum wrote:
> It would seem that
>
> commit 7053aee26a3548ebaba046ae2e52396ccf56ac6c
> Author: Jan Kara <jack@...e.cz>
> Date: Tue Jan 21 15:48:14 2014 -0800
>
> fsnotify: do not share events between notification groups
>
> introduced a bug where the cookie field of struct inotify_event
> never gets initialised. In particular, it used to be initialised
> when send_to_group() called fsnotify_create_event(), but that no
> longer happens, and the 'cookie' parameter of send_to_group() never
> gets used.
>
> The problem manifests itself in copy_event_to_user() where the
> cookie field is copied to userspace without being initialised.
>
> I tested this with a simple userspace program, I seem to get mostly
> 0xffff8800 in the cookie field for non-move events (which should
> always have 0 here).
That's a really embarassing bug. I've extented LTP inotify tests to
verify the cookie value is sane (so far the tests completely ignored the
value which is why I didn't notice the breakage).
Attached patch fixes the problem for me. I'll send it to Linus tomorrow.
Thanks for spotting the problem!
Honza
--
Jan Kara <jack@...e.cz>
SUSE Labs, CR
View attachment "0001-inotify-Fix-reporting-of-cookies-for-inotify-events.patch" of type "text/x-patch" (6411 bytes)
Powered by blists - more mailing lists