lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 23 Aug 2017 22:35:10 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     sbrivio@...hat.com
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org, lucien.xin@...il.com, vyasevich@...il.com,
        nhorman@...driver.com, linux-sctp@...r.kernel.org
Subject: Re: [PATCH net] sctp: Avoid out-of-bounds reads from address
 storage

From: Stefano Brivio <sbrivio@...hat.com>
Date: Wed, 23 Aug 2017 13:27:13 +0200

> inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy
> sizeof(sockaddr_storage) bytes to fill in sockaddr structs used
> to export diagnostic information to userspace.
> 
> However, the memory allocated to store sockaddr information is
> smaller than that and depends on the address family, so we leak
> up to 100 uninitialized bytes to userspace. Just use the size of
> the source structs instead, in all the three cases this is what
> userspace expects. Zero out the remaining memory.
> 
> Unused bytes (i.e. when IPv4 addresses are used) in source
> structs sctp_sockaddr_entry and sctp_transport are already
> cleared by sctp_add_bind_addr() and sctp_transport_new(),
> respectively.
> 
> Noticed while testing KASAN-enabled kernel with 'ss':
 ...
> This fixes CVE-2017-7558.
> 
> References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266
> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
> Cc: <stable@...r.kernel.org> # 4.7+
> Cc: Xin Long <lucien.xin@...il.com>
> Cc: Vlad Yasevich <vyasevich@...il.com>
> Cc: Neil Horman <nhorman@...driver.com>
> Signed-off-by: Stefano Brivio <sbrivio@...hat.com>

Applied and queued up for -stable.

Do not put "stable@...nel..." into networking patch submissions.
For networking, I handle the stable submissions by hand myself.

Thank you.

Powered by blists - more mailing lists