lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Feb 2014 22:10:45 +0100 From: Vegard Nossum <vegard.nossum@...cle.com> To: Jan Kara <jack@...e.cz> CC: LKML <linux-kernel@...r.kernel.org> Subject: Re: inotify cookie regression/info leak in latest mainline On 02/17/2014 01:59 PM, Jan Kara wrote: > Hello, > > On Sat 15-02-14 22:39:38, Vegard Nossum wrote: >> It would seem that >> >> commit 7053aee26a3548ebaba046ae2e52396ccf56ac6c >> Author: Jan Kara <jack@...e.cz> >> Date: Tue Jan 21 15:48:14 2014 -0800 >> >> fsnotify: do not share events between notification groups >> >> introduced a bug where the cookie field of struct inotify_event >> never gets initialised. In particular, it used to be initialised >> when send_to_group() called fsnotify_create_event(), but that no >> longer happens, and the 'cookie' parameter of send_to_group() never >> gets used. >> >> The problem manifests itself in copy_event_to_user() where the >> cookie field is copied to userspace without being initialised. >> >> I tested this with a simple userspace program, I seem to get mostly >> 0xffff8800 in the cookie field for non-move events (which should >> always have 0 here). > That's a really embarassing bug. I've extented LTP inotify tests to > verify the cookie value is sane (so far the tests completely ignored the > value which is why I didn't notice the breakage). > > Attached patch fixes the problem for me. I'll send it to Linus tomorrow. > Thanks for spotting the problem! That seems to fix it for me too, thanks for the quick fix! Vegard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists