[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a44df2a0-a403-40ba-3312-c6eb53ddf291@posteo.de>
Date: Sun, 13 Jun 2021 15:36:43 +0000
From: Patrick Menschel <menschel.p@...teo.de>
To: Norbert Slusarek <nslusarek@....net>
Cc: Oliver Hartkopp <socketcan@...tkopp.net>, mkl@...gutronix.de,
davem@...emloft.net, kuba@...nel.org, linux-can@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: [PATCH] can: bcm: fix infoleak in struct bcm_msg_head
Am 13.06.21 um 15:35 schrieb Norbert Slusarek:
>> Hi,
>>
>> 1.
>> Are you sure this leak really happens on 64-bit and not on 32-bit instead?
>>
>> I remember I got the problems with bcm msg head on the 32bit raspberry
>> pi because I missed the alignment by accident.
>>
>> When I calculate the size of msg head on a Ryzen 1800X with Python
>> 3.9.5, I get:
>>
>> struct.calcsize("IIIllllII"),struct.calcsize("IIIllllII0q")
>> (56, 56)
>>
>> First Value is raw, the second value is the alignment hack with the zero
>> length quad word "0q".
>>
>> On the 32bit raspberry pi, same op results in the gap.
>>
>> struct.calcsize("IIIllllII"),struct.calcsize("IIIllllII0q")
>> (36, 40)
>
> Hey Patrick,
>
> having reproduced this leak I could only observe the issue on 64-bit systems.
> I've just tested it on a 32-bit OS running on a raspberry pi and I couldn't observe
> any leak. The offset difference on 32-bit between count and ival1 is 4.
> On 64-bit systems, it's 8:
>
> (gdb) ptype struct bcm_msg_head
> type = struct bcm_msg_head {
> __u32 opcode;
> __u32 flags;
> __u32 count;
> struct bcm_timeval ival1;
> struct bcm_timeval ival2;
> canid_t can_id;
> __u32 nframes;
> struct can_frame frames[0];
> }
> (gdb) p/x &((struct bcm_msg_head *)0x0)->count
> $1 = 0x8
> (gdb) p/x &((struct bcm_msg_head *)0x0)->ival1
> $2 = 0x10
> (gdb) p sizeof(((struct bcm_msg_head *)0x0)->count)
> $3 = 4
>
Ouch,
I should not skip lines while reading.
We're talking about different gaps as it seems. I didn't realize the gap
in front of ival1 before.
There is also a gap in between nframes and frames[0].
That one is caused by align(8) of data in struct can_frame.
It propagates upwards into that gap on 32bit arch.
You can find it if you actually fill frames[] with a frame.
I found it while concatenating bcm_msg_head and a can frame into a
python bytearray which was too short for the raspberry pi as I forgot
the alignment.
I came up with a format string "IIIllllII0q" for bcm_msg_head.
Kind Regards,
Patrick
Powered by blists - more mailing lists