| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Dec 2011 20:36:12 +0100
From: Eric Dumazet <eric.dumazet@...il.com>
To: Pavel Emelyanov <xemul@...allels.com>
Cc: David Miller <davem@...emloft.net>,
Linux Netdev List <netdev@...r.kernel.org>
Subject: Re: [PATCH] unix_diag: Fix incoming connections nla length
Le dimanche 25 décembre 2011 à 23:58 +0400, Pavel Emelyanov a écrit :
> The NLA_PUT macro should accept the actual attribute length, not
> the amount of elements in array :(
>
> Signed-off-by: Pavel Emelyanov <xemul@...allels.com>
>
> ---
> net/unix/diag.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/net/unix/diag.c b/net/unix/diag.c
> index 91d5782..39e44c9 100644
> --- a/net/unix/diag.c
> +++ b/net/unix/diag.c
> @@ -72,7 +72,8 @@ static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb)
>
> if (sk->sk_state == TCP_LISTEN) {
> spin_lock(&sk->sk_receive_queue.lock);
> - buf = UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS, sk->sk_receive_queue.qlen);
> + buf = UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS,
> + sk->sk_receive_queue.qlen * sizeof(u32));
> i = 0;
> skb_queue_walk(&sk->sk_receive_queue, skb) {
> struct sock *req, *peer;
Hmm, I must say sk_diag_dump_icons() looks buggy, since it does :
if (peer)
buf[i++] = sock_i_ino(peer);
So we probably leak kernel memory content to user for the (!peer) case,
since we did :
UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS,
sk->sk_receive_queue.qlen * sizeof(u32));
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists