lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 07 Nov 2010 11:31:32 -0500
From:	Dan Rosenberg <drosenberg@...curity.com>
To:	chas@....nrl.navy.mil, davem@...emloft.net, kuznet@....inr.ac.ru,
	pekkas@...core.fi, jmorris@...ei.org, yoshfuji@...ux-ipv6.org,
	kaber@...sh.net, remi.denis-courmont@...ia.com
Cc:	netdev@...r.kernel.org, security@...nel.org, stable@...nel.org
Subject: [PATCH 0/9] Fix leaking of kernel heap addresses in net/

This patch series resolves the leakage of kernel heap addresses to
userspace via network protocol /proc interfaces and public error
messages.  Revealing this information is a bad idea from a security
perspective for a number of reasons, the most obvious of which is it
provides unprivileged users a mechanism by which to create a structure
in the kernel heap containing function pointers, obtain the address of
that structure, and overwrite those function pointers by leveraging
other vulnerabilities.  It is my hope that by eliminating this
information leakage, in conjunction with making statically-declared
function pointer tables read-only (to be done in a separate patch
series), we can at least add a small hurdle for the exploitation of a
subset of kernel vulnerabilities.

To maintain compatibility with userspace programs relying on
consistent /proc output, the output descriptions and number of fields
are not changed.  When a unique identifier for the socket is desired,
the socket address has been replaced with the socket inode number.  When
the inode number is already present in the output, the address has been
replaced with a 0.  In these cases, the format specifier has been
changed to %d, because a %p output of 0 from kernel space is written as
"(null)", while userspace %p can only parse "(nil)".

-Dan

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ