| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.20.1705300824480.1950@nanos>
Date: Tue, 30 May 2017 08:26:01 +0200 (CEST)
From: Thomas Gleixner <tglx@...utronix.de>
To: Manjeet Pawar <manjeet.p@...sung.com>
cc: perex@...ex.cz, tiwai@...e.de, alsa-devel@...a-project.org,
linux-api@...r.kernel.org, linux-kernel@...r.kernel.org,
a.sahrawat@...sung.com, lalit.mohan@...sung.com,
pankaj.m@...sung.com, Vaneet Narang <v.narang@...sung.com>
Subject: Re: [PATCH] ALSA: Adjust structure(snd_timer_tread) members to avoid
8 padding bytes
On Tue, 30 May 2017, Manjeet Pawar wrote:
> This patch is made to fix below CVE issue where 8 padding bytes are sent to
> user without being initialized. Structure members are adjusted to avoid 8
> padding bytes.
>
> CVE-2016-4569/CVE-2016-4578:
> The stack object tread has a total size of 32 bytes. Its field
> event and val both contain 4 bytes padding. These 8 bytes
> padding bytes are sent to user without being initialized.
>
> Fix patch:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cec8f96e49d9be372fdb0c3836dcf31ec71e457e
> https://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git/commit/?h=for-next&id=9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
>
> These patches does memset on structure object to initialize 8 padding bytes, which can be skipped by
> adjusting structure members.
And by rearranging the struct members you break existing user space, which
is a NONO. The struct has to stay as is.
Thanks,
tglx
Powered by blists - more mailing lists