lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1288548514.2660.70.camel@edumazet-laptop> Date: Sun, 31 Oct 2010 19:08:34 +0100 From: Eric Dumazet <eric.dumazet@...il.com> To: Vasiliy Kulikov <segooon@...il.com> Cc: kernel-janitors@...r.kernel.org, Joerg Reuter <jreuter@...na.de>, Ralf Baechle <ralf@...ux-mips.org>, "David S. Miller" <davem@...emloft.net>, linux-hams@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 1/3] net: ax25: fix information leak to userland Le dimanche 31 octobre 2010 à 20:10 +0300, Vasiliy Kulikov a écrit : > Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater > field of fsa struct. This structure is then copied to userland. It leads to > leaking of contents of kernel stack memory. We have to initialize them to zero. > > Signed-off-by: Vasiliy Kulikov <segooon@...il.com> > --- > net/ax25/af_ax25.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c > index 26eaebf..a324d83 100644 > --- a/net/ax25/af_ax25.c > +++ b/net/ax25/af_ax25.c > @@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr, > ax25_cb *ax25; > int err = 0; > > + memset(&fsa->fsa_digipeater, 0, sizeof(fsa->fsa_digipeater)); > lock_sock(sk); > ax25 = ax25_sk(sk); > If you really want to fix this for good, please do it completely ? sa_family_t is a short ax25_address is 7 bytes. Therefore, there is a hole before sax25_ndigis. struct sockaddr_ax25 { sa_family_t sax25_family; ax25_address sax25_call; <hole> int sax25_ndigis; /* Digipeater ax25_address sets follow */ }; struct full_sockaddr_ax25 { struct sockaddr_ax25 fsa_ax25; ax25_address fsa_digipeater[AX25_MAX_DIGIS]; }; So a correct patch is the following one. Note AX25 is probably used by nobody at all, so a full memset() is not performance critical in this path. diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 26eaebf..6da5dae 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr, ax25_cb *ax25; int err = 0; + memset(fsa, 0, sizeof(*fsa)); lock_sock(sk); ax25 = ax25_sk(sk); @@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr, fsa->fsa_ax25.sax25_family = AF_AX25; fsa->fsa_ax25.sax25_call = ax25->dest_addr; - fsa->fsa_ax25.sax25_ndigis = 0; if (ax25->digipeat != NULL) { ndigi = ax25->digipeat->ndigi; -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists