[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20130407.163117.265521959609997339.davem@davemloft.net>
Date: Sun, 07 Apr 2013 16:31:17 -0400 (EDT)
From: David Miller <davem@...emloft.net>
To: minipli@...glemail.com
Cc: netdev@...r.kernel.org, allan.stephens@...driver.com,
aloisio.almeida@...nbossa.org, acking@...are.com,
acme@...stprotocols.net, dtor@...are.com, georgezhang@...are.com,
gustavo@...ovan.org, johan.hedberg@...il.com,
jon.maloy@...csson.com, lauro.venancio@...nbossa.org,
marcel@...tmann.org, ralf@...ux-mips.org, sameo@...ux.intel.com,
samuel@...tiz.org, sjur.brandeland@...ricsson.com,
ursula.braun@...ibm.com, spender@...ecurity.net
Subject: Re: [PATCH 00/16] info leak fixes in recvmsg
From: Mathias Krause <minipli@...glemail.com>
Date: Sun, 7 Apr 2013 13:51:46 +0200
> a few more info leak fixes in the recvmsg path. The error pattern here
> is the protocol specific recvmsg function is missing the msg_namelen
> assignment -- either completely or in early exit paths that do not
> result in errors in __sys_recvmsg()/sys_recvfrom() and, in turn, make
> them call move_addr_to_user(), leaking the then still uninitialized
> sockaddr_storage stack variable to userland.
>
> My audit was initiated by a rather coarse fix of the leak that can be
> found in the grsecurity patch, putting a penalty on protocols complying
> to the rules of recvmsg. So credits for finding the leak in the recvmsg
> path in __sys_recvmsg() should go to Brad!
>
> The buggy protocols/subsystems are rather obscure anyway. As a missing
> assignment of msg_namelen coupled with a missing filling of msg_name
> would only result in garbage -- the leak -- in case userland would care
> about that information, i.e. would provide a msg_name pointer. But
> obviously current userland does not.
>
> While auditing the code for the above pattern I found a few more
> 'uninitialized members' kind of leaks related to the msg_name filling.
> Those are fixed in this series, too.
>
> I have to admit, I failed to test all of the patches due to missing
> hardware, e.g. iucv depends on S390 -- hardware I've no access to :/
All applied and queued up for -stable, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists