linux-kernel - Re: [PATCH net-next v6 15/21] ip_tunnel: use a separate struct to store tunnel params in the kernel

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Thu, 4 Apr 2024 17:24:23 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Alexander Lobakin <aleksander.lobakin@...el.com>
Cc: "David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Yury Norov <yury.norov@...il.com>,
	Alexander Potapenko <glider@...gle.com>,
	nex.sw.ncis.osdt.itp.upstreaming@...el.com,
	intel-wired-lan@...ts.osuosl.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, Simon Horman <horms@...nel.org>
Subject: Re: [PATCH net-next v6 15/21] ip_tunnel: use a separate struct to
 store tunnel params in the kernel

On Wed, Mar 27, 2024 at 04:23:52PM +0100, Alexander Lobakin wrote:
> +bool ip_tunnel_parm_to_user(void __user *data, struct ip_tunnel_parm_kern *kp)
> +{
> +	struct ip_tunnel_parm p;
> +
> +	strscpy(p.name, kp->name);

We need to clear out p before copying to user space to avoid an
information leak.  So this strscpy() needs to be strcpy_pad()

> +	p.link = kp->link;
> +	p.i_flags = kp->i_flags;
> +	p.o_flags = kp->o_flags;
> +	p.i_key = kp->i_key;
> +	p.o_key = kp->o_key;
> +	memcpy(&p.iph, &kp->iph, min(sizeof(p.iph), sizeof(kp->iph)));

And this memcpy() doesn't necessarily clear the whole of p.iph.

> +
> +	return !copy_to_user(data, &p, sizeof(p));
> +}

regards,
dan carpenter