| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1288727605.2504.21.camel@dan> Date: Tue, 02 Nov 2010 15:53:25 -0400 From: Dan Rosenberg <drosenberg@...curity.com> To: Oliver Hartkopp <socketcan@...tkopp.net> Cc: netdev@...r.kernel.org, security@...nel.org Subject: Re: [SECURITY] CAN info leak/minor heap overflow > Why is this bad? Can the addresses of CAN-BCM sock structs be used for > anything from userspace? > > For me they are just intented to be unique numbers ... > This is a bad idea because it makes exploiting other kernel vulnerabilities easier. Exposing the address of an object in a slab cache, especially an object that unprivileged users have some level of control of, is just an invitation to use that structure when writing exploits, for heap overflows or otherwise. -Dan > > Secondly, > > on 64-bit platforms, up to 17 bytes may be copied into the buffer. > > Hm - that's indeed not wanted. Will send a patch at least for this issue. > > > Fortunately, structure padding will most likely prevent this from being > > a problem, except for the trailing NULL byte, which may overwrite the > > first byte of the next heap object. Please name your procfile in a way > > that doesn't leak information and fits into the desired name buffer. > > > > -Dan > > > > Regards, > Oliver -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists