lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <063D6719AE5E284EB5DD2968C1650D6D0F6EB791@AcuExch.aculab.com>
Date:	Fri, 28 Mar 2014 10:58:47 +0000
From:	David Laight <David.Laight@...LAB.COM>
To:	'Yann Droneaud' <ydroneaud@...eya.com>,
	Dan Carpenter <dan.carpenter@...cle.com>
CC:	Steve Wise <swise@...lsio.com>, Roland Dreier <roland@...nel.org>,
	"Sean Hefty" <sean.hefty@...el.com>,
	Hal Rosenstock <hal.rosenstock@...il.com>,
	"linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>,
	"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"roland@...estorage.com" <roland@...estorage.com>,
	"dm@...lsio.com" <dm@...lsio.com>,
	"leedom@...lsio.com" <leedom@...lsio.com>,
	"santosh@...lsio.com" <santosh@...lsio.com>,
	"kumaras@...lsio.com" <kumaras@...lsio.com>,
	"nirranjan@...lsio.com" <nirranjan@...lsio.com>,
	"hariprasad@...lsio.com" <hariprasad@...lsio.com>,
	Steve Wise <swise@...ngridcomputing.com>
Subject: RE: [patch] RDMA/cxgb4: info leak in c4iw_alloc_ucontext()

From: Yann Droneaud
> Hi,
> 
> Le vendredi 28 mars 2014  11:24 +0300, Dan Carpenter a crit :
> > The c4iw_alloc_ucontext_resp struct has a 4 byte hole after the last
> > member and we should clear it before passing it to the user.
> >
> > Fixes: 05eb23893c2c ('cxgb4/iw_cxgb4: Doorbell Drop Avoidance Bug Fixes')
> > Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> >
> 
> It's not the proper fix for this issue: an explicit padding has to be
> added (and initialized), see "Re: [PATCH net-next 2/2] cxgb4/iw_cxgb4:
> Doorbell Drop Avoidance Bug Fixes"
> http://marc.info/?i=1395848977.3297.15.camel@localhost.localdomain
> 
> In its current form, the c4iw_alloc_ucontext_resp structure does not
> require padding on i386, so a 32bits userspace program using this
> structure against a x86_64 kernel will make the kernel do a buffer
> overflow in userspace, likely on stack, as answer of a GET_CONTEXT
> request:
...
> struct c4iw_alloc_ucontext_resp {
>         struct ibv_get_context_resp ibv_resp;
>         __u64 status_page_key;
>         __u32 status_page_size;
> };

Or add __attribute__((aligned(4))) to the 64bit fields.
And maybe a compile time assert on the length of the structure.
Since it is part of an ABI it must not change

	David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ