lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20111226.144245.1639855054069401229.davem@davemloft.net>
Date:	Mon, 26 Dec 2011 14:42:45 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	eric.dumazet@...il.com
Cc:	xemul@...allels.com, netdev@...r.kernel.org
Subject: Re: [PATCH] unix_diag: Fix incoming connections nla length

From: Eric Dumazet <eric.dumazet@...il.com>
Date: Mon, 26 Dec 2011 20:36:12 +0100

> if (peer)
> 	buf[i++] = sock_i_ino(peer);
> 
> So we probably leak kernel memory content to user for the (!peer) case,
> since we did :
> 
> UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS,
> 		sk->sk_receive_queue.qlen * sizeof(u32));

I just commited the following fix for this, it probably takes less
effort to post a patch for this kind of bug than explain it don't
you think? :)

--------------------
unix: If we happen to find peer NULL when diag dumping, write zero.

Otherwise we leave uninitialized kernel memory in there.

Reported-by: Eric Dumazet <eric.dumazet@...il.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
---
 net/unix/diag.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/net/unix/diag.c b/net/unix/diag.c
index 39e44c9..c5bdbcb 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -86,8 +86,7 @@ static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb)
 			 */
 			unix_state_lock_nested(req);
 			peer = unix_sk(req)->peer;
-			if (peer)
-				buf[i++] = sock_i_ino(peer);
+			buf[i++] = (peer ? sock_i_ino(peer) : 0);
 			unix_state_unlock(req);
 		}
 		spin_unlock(&sk->sk_receive_queue.lock);
-- 
1.7.7.4

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ