| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20151215.153626.1500179484827859040.davem@davemloft.net> Date: Tue, 15 Dec 2015 15:36:26 -0500 (EST) From: David Miller <davem@...emloft.net> To: dvyukov@...gle.com Cc: lauro.venancio@...nbossa.org, aloisio.almeida@...nbossa.org, sameo@...ux.intel.com, linux-wireless@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller@...glegroups.com, edumazet@...gle.com, kcc@...gle.com, glider@...gle.com, sasha.levin@...cle.com Subject: Re: Information leak in llcp_sock_bind/llcp_raw_sock_bind From: Dmitry Vyukov <dvyukov@...gle.com> Date: Tue, 15 Dec 2015 21:00:20 +0100 > The problem is that llcp_sock_bind/llcp_raw_sock_bind do not check > sockaddr_len passed in, so they copy stack garbage from stack into the > socket and then return it in getsockname. > This can defeat ASLR, leak crypto keys, etc. That's actually the first thing these functions do. They completely clear out the on-stack llcp_addr, then they copy only as much as the user gave them, being careful not to use more than sizeof(llcp_addr). memset(&llcp_addr, 0, sizeof(llcp_addr)); len = min_t(unsigned int, sizeof(llcp_addr), alen); memcpy(&llcp_addr, addr, len); I don't see what the problem is, you'll need to be more specific. Even wrt. llcp_sock->service_name, the code limits the string to NFC_LLCP_MAX_SERVICE_NAME. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists