lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Aug 2017 22:35:10 -0700 (PDT) From: David Miller <davem@...emloft.net> To: sbrivio@...hat.com Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, stable@...r.kernel.org, lucien.xin@...il.com, vyasevich@...il.com, nhorman@...driver.com, linux-sctp@...r.kernel.org Subject: Re: [PATCH net] sctp: Avoid out-of-bounds reads from address storage From: Stefano Brivio <sbrivio@...hat.com> Date: Wed, 23 Aug 2017 13:27:13 +0200 > inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy > sizeof(sockaddr_storage) bytes to fill in sockaddr structs used > to export diagnostic information to userspace. > > However, the memory allocated to store sockaddr information is > smaller than that and depends on the address family, so we leak > up to 100 uninitialized bytes to userspace. Just use the size of > the source structs instead, in all the three cases this is what > userspace expects. Zero out the remaining memory. > > Unused bytes (i.e. when IPv4 addresses are used) in source > structs sctp_sockaddr_entry and sctp_transport are already > cleared by sctp_add_bind_addr() and sctp_transport_new(), > respectively. > > Noticed while testing KASAN-enabled kernel with 'ss': ... > This fixes CVE-2017-7558. > > References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266 > Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") > Cc: <stable@...r.kernel.org> # 4.7+ > Cc: Xin Long <lucien.xin@...il.com> > Cc: Vlad Yasevich <vyasevich@...il.com> > Cc: Neil Horman <nhorman@...driver.com> > Signed-off-by: Stefano Brivio <sbrivio@...hat.com> Applied and queued up for -stable. Do not put "stable@...nel..." into networking patch submissions. For networking, I handle the stable submissions by hand myself. Thank you.
Powered by blists - more mailing lists