From: Eli Cohen <eli@dev.mellanox.co.il>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Eli Cohen <eli@mellanox.com>, Roland Dreier <roland@kernel.org>,
Sean Hefty <sean.hefty@intel.com>,
Hal Rosenstock <hal.rosenstock@gmail.com>,
linux-rdma@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] IB/mlx5: stack info leak in mlx5_ib_alloc_ucontext()
Date: Mon, 29 Jul 2013 12:02:28 +0000 [thread overview]
Message-ID: <20130729120228.GA20064@mtldesk30> (raw)
In-Reply-To: <20130728202323.GA5053@mwanda>
On Sun, Jul 28, 2013 at 11:24:43PM +0300, Dan Carpenter wrote:
>
> First let me say that I don't know how this code is called, it may
> be root only, but even in that case I think it's still worth
> applying my patch.
It can be called by non root users as well.
>
> These info leak problems are a well known security problem so I
> didn't put a long explanation. What you do is you fill the stack
> with function pointers, then you call the function that leaks. Then
> you have a potentially useful pointer which was supposed to be
> secret. Something like that anyway.
>
> There are probably lots of other easier ways to defeat address space
> randomization. There may be other ways you can use info leaks as
> well...
>
> Anyway, regardless, static checkers and code auditors look for these
> leaks so applying the patch makes sense just to silence a warning.
>
OK, I am convinced that it's worth applying.
Acked by Eli Cohen <eli@mellanox.com>
WARNING: multiple messages have this Message-ID (diff)
From: Eli Cohen <eli@dev.mellanox.co.il>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Eli Cohen <eli@mellanox.com>, Roland Dreier <roland@kernel.org>,
Sean Hefty <sean.hefty@intel.com>,
Hal Rosenstock <hal.rosenstock@gmail.com>,
linux-rdma@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] IB/mlx5: stack info leak in mlx5_ib_alloc_ucontext()
Date: Mon, 29 Jul 2013 15:02:28 +0300 [thread overview]
Message-ID: <20130729120228.GA20064@mtldesk30> (raw)
In-Reply-To: <20130728202323.GA5053@mwanda>
On Sun, Jul 28, 2013 at 11:24:43PM +0300, Dan Carpenter wrote:
>
> First let me say that I don't know how this code is called, it may
> be root only, but even in that case I think it's still worth
> applying my patch.
It can be called by non root users as well.
>
> These info leak problems are a well known security problem so I
> didn't put a long explanation. What you do is you fill the stack
> with function pointers, then you call the function that leaks. Then
> you have a potentially useful pointer which was supposed to be
> secret. Something like that anyway.
>
> There are probably lots of other easier ways to defeat address space
> randomization. There may be other ways you can use info leaks as
> well...
>
> Anyway, regardless, static checkers and code auditors look for these
> leaks so applying the patch makes sense just to silence a warning.
>
OK, I am convinced that it's worth applying.
Acked by Eli Cohen <eli@mellanox.com>
next prev parent reply other threads:[~2013-07-29 12:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-25 17:04 [patch] IB/mlx5: stack info leak in mlx5_ib_alloc_ucontext() Dan Carpenter
2013-07-25 17:04 ` Dan Carpenter
2013-07-28 7:23 ` Eli Cohen
2013-07-28 7:23 ` Eli Cohen
2013-07-28 20:24 ` Dan Carpenter
2013-07-28 20:24 ` Dan Carpenter
2013-07-29 12:02 ` Eli Cohen [this message]
2013-07-29 12:02 ` Eli Cohen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130729120228.GA20064@mtldesk30 \
--to=eli@dev.mellanox.co.il \
--cc=dan.carpenter@oracle.com \
--cc=eli@mellanox.com \
--cc=hal.rosenstock@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=roland@kernel.org \
--cc=sean.hefty@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.