| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Aug 2020 14:18:10 +0200
From: Ursula Braun <ubraun@...ux.ibm.com>
To: Peilin Ye <yepeilin.cs@...il.com>,
Karsten Graul <kgraul@...ux.ibm.com>
Cc: "David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Dan Carpenter <dan.carpenter@...cle.com>,
Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-s390@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel-mentees@...ts.linuxfoundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [Linux-kernel-mentees] [PATCH net] net/smc: Prevent
kernel-infoleak in __smc_diag_dump()
On 8/1/20 9:44 PM, Peilin Ye wrote:
> __smc_diag_dump() is potentially copying uninitialized kernel stack memory
> into socket buffers, since the compiler may leave a 4-byte hole near the
> beginning of `struct smcd_diag_dmbinfo`. Fix it by initializing `dinfo`
> with memset().
>
> Cc: stable@...r.kernel.org
> Fixes: 4b1b7d3b30a6 ("net/smc: add SMC-D diag support")
> Suggested-by: Dan Carpenter <dan.carpenter@...cle.com>
> Signed-off-by: Peilin Ye <yepeilin.cs@...il.com>
> ---
> Reference: https://lwn.net/Articles/417989/
>
> $ pahole -C "smcd_diag_dmbinfo" net/smc/smc_diag.o
> struct smcd_diag_dmbinfo {
> __u32 linkid; /* 0 4 */
>
> /* XXX 4 bytes hole, try to pack */
>
> __u64 peer_gid __attribute__((__aligned__(8))); /* 8 8 */
> __u64 my_gid __attribute__((__aligned__(8))); /* 16 8 */
> __u64 token __attribute__((__aligned__(8))); /* 24 8 */
> __u64 peer_token __attribute__((__aligned__(8))); /* 32 8 */
>
> /* size: 40, cachelines: 1, members: 5 */
> /* sum members: 36, holes: 1, sum holes: 4 */
> /* forced alignments: 4, forced holes: 1, sum forced holes: 4 */
> /* last cacheline: 40 bytes */
> } __attribute__((__aligned__(8)));
> $ _
>
Thanks, patch is added to our local library and will be part of our
next shipment of smc patches for the net-tree.
Regards, Ursula
> net/smc/smc_diag.c | 16 +++++++++-------
> 1 file changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/net/smc/smc_diag.c b/net/smc/smc_diag.c
> index e1f64f4ba236..da9ba6d1679b 100644
> --- a/net/smc/smc_diag.c
> +++ b/net/smc/smc_diag.c
> @@ -170,13 +170,15 @@ static int __smc_diag_dump(struct sock *sk, struct sk_buff *skb,
> (req->diag_ext & (1 << (SMC_DIAG_DMBINFO - 1))) &&
> !list_empty(&smc->conn.lgr->list)) {
> struct smc_connection *conn = &smc->conn;
> - struct smcd_diag_dmbinfo dinfo = {
> - .linkid = *((u32 *)conn->lgr->id),
> - .peer_gid = conn->lgr->peer_gid,
> - .my_gid = conn->lgr->smcd->local_gid,
> - .token = conn->rmb_desc->token,
> - .peer_token = conn->peer_token
> - };
> + struct smcd_diag_dmbinfo dinfo;
> +
> + memset(&dinfo, 0, sizeof(dinfo));
> +
> + dinfo.linkid = *((u32 *)conn->lgr->id);
> + dinfo.peer_gid = conn->lgr->peer_gid;
> + dinfo.my_gid = conn->lgr->smcd->local_gid;
> + dinfo.token = conn->rmb_desc->token;
> + dinfo.peer_token = conn->peer_token;
>
> if (nla_put(skb, SMC_DIAG_DMBINFO, sizeof(dinfo), &dinfo) < 0)
> goto errout;
>
Powered by blists - more mailing lists