| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bf3dff0c9e2d4affa7044a882317144b@AcuMS.aculab.com>
Date: Mon, 20 Jul 2020 15:12:30 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'lebon zhou' <lebon.zhou@...il.com>,
"davem@...emloft.net" <davem@...emloft.net>,
"kuba@...nel.org" <kuba@...nel.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: RE: [PATCH] Fix memory overwriting issue when copy an address to user
space
From: lebon zhou
> Sent: 20 July 2020 05:35
> To: davem@...emloft.net; kuba@...nel.org
> Cc: linux-kernel@...r.kernel.org; netdev@...r.kernel.org
> Subject: [PATCH] Fix memory overwriting issue when copy an address to user space
>
> When application provided buffer size less than sockaddr_storage, then
> kernel will overwrite some memory area which may cause memory corruption,
> e.g.: in recvmsg case, let msg_name=malloc(8) and msg_namelen=8, then
> usually application can call recvmsg successful but actually application
> memory get corrupted.
Where?
The copy_to_user() uses the short length provided by the user.
There is even a comment saying that if the address is truncated
the length returned to the user is the full length.
Maybe the application is reusing the msg without re-initialising
it properly.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists