lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1324928172.2599.3.camel@edumazet-laptop>
Date:	Mon, 26 Dec 2011 20:36:12 +0100
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Pavel Emelyanov <xemul@...allels.com>
Cc:	David Miller <davem@...emloft.net>,
	Linux Netdev List <netdev@...r.kernel.org>
Subject: Re: [PATCH] unix_diag: Fix incoming connections nla length

Le dimanche 25 décembre 2011 à 23:58 +0400, Pavel Emelyanov a écrit :
> The NLA_PUT macro should accept the actual attribute length, not
> the amount of elements in array :(
> 
> Signed-off-by: Pavel Emelyanov <xemul@...allels.com>
> 
> ---
>  net/unix/diag.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/net/unix/diag.c b/net/unix/diag.c
> index 91d5782..39e44c9 100644
> --- a/net/unix/diag.c
> +++ b/net/unix/diag.c
> @@ -72,7 +72,8 @@ static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb)
>  
>  	if (sk->sk_state == TCP_LISTEN) {
>  		spin_lock(&sk->sk_receive_queue.lock);
> -		buf = UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS, sk->sk_receive_queue.qlen);
> +		buf = UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS,
> +				sk->sk_receive_queue.qlen * sizeof(u32));
>  		i = 0;
>  		skb_queue_walk(&sk->sk_receive_queue, skb) {
>  			struct sock *req, *peer;

Hmm, I must say sk_diag_dump_icons() looks buggy, since it does :


if (peer)
	buf[i++] = sock_i_ino(peer);

So we probably leak kernel memory content to user for the (!peer) case,
since we did :

UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS,
		sk->sk_receive_queue.qlen * sizeof(u32));



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ