lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20131219.145622.2200263458055643644.davem@davemloft.net>
Date:	Thu, 19 Dec 2013 14:56:22 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	dborkman@...hat.com
Cc:	darkjames-ws@...kjames.pl, netdev@...r.kernel.org
Subject: Re: [PATCH net] net: inet_diag: zero out uninitialized
 idiag_{src,dst} fields

From: Daniel Borkmann <dborkman@...hat.com>
Date: Tue, 17 Dec 2013 00:38:39 +0100

> Jakub reported while working with nlmon netlink sniffer that parts of
> the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6.
> That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3].
> 
> In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab]
> memory through this. At least, in udp_dump_one(), we allocate a skb in ...
> 
>   rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL);
> 
> ... and then pass that to inet_sk_diag_fill() that puts the whole struct
> inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0],
> r->id.idiag_dst[0] and leave the rest untouched:
> 
>   r->id.idiag_src[0] = inet->inet_rcv_saddr;
>   r->id.idiag_dst[0] = inet->inet_daddr;
> 
> struct inet_diag_msg embeds struct inet_diag_sockid that is correctly /
> fully filled out in IPv6 case, but for IPv4 not.
> 
> So just zero them out by using plain memset (for this little amount of
> bytes it's probably not worth the extra check for idiag_family == AF_INET).
> 
> Similarly, fix also other places where we fill that out.
> 
> Reported-by: Jakub Zawadzki <darkjames-ws@...kjames.pl>
> Signed-off-by: Daniel Borkmann <dborkman@...hat.com>

Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ