From: Richard Weinberger <richard@nod.at>
To: Kangjie Lu <kangjielu@gmail.com>
Cc: Jeff Layton <jlayton@poochiereds.net>,
Bruce Fields <bfields@fieldses.org>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Taesoo Kim <taesoo@gatech.edu>, Insu Yun <insu@gatech.edu>,
Kangjie Lu <kjlu@gatech.edu>
Subject: Re: [PATCH] fix infoleak in fcntl
Date: Sun, 8 May 2016 23:01:42 +0200 [thread overview]
Message-ID: <572FA936.30802@nod.at> (raw)
In-Reply-To: <CABEk9Yy6qa+B0BuGAr8ERuojtmKJgB0SHcm3OD50gCPUqX=O+g@mail.gmail.com>
Am 08.05.2016 um 17:40 schrieb Kangjie Lu:
>
>
> On Sun, May 8, 2016 at 8:58 AM, Richard Weinberger <richard.weinberger@gmail.com <mailto:richard.weinberger@gmail.com>> wrote:
>
> On Tue, May 3, 2016 at 10:34 PM, Kangjie Lu <kangjielu@gmail.com <mailto:kangjielu@gmail.com>> wrote:
> > The stack object “si” has a total size of 128 bytes; however, only
> > 16 bytes are initialized. The remaining uninitialized bytes are
> > sent to userland via send_signal.
>
> How did you find all these leaks?
> Since you sent more than one patch I guess you used some tool, which one?
>
>
> Yes. Since there are *so many* infoleak vulnerabilities in the kernel, we are writing a
> static checker to find them. We plan to release it once it is done, so people can use
> it to find more bugs in kernel or even other user space programs.
How does your tool work?
I'd guess it tries to find uninitialized structs passed into copy_to_user().
Thanks,
//richard
next parent reply other threads:[~2016-05-08 21:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CABEk9Yy6qa+B0BuGAr8ERuojtmKJgB0SHcm3OD50gCPUqX=O+g@mail.gmail.com>
2016-05-08 21:01 ` Richard Weinberger [this message]
2016-05-03 20:34 [PATCH] fix infoleak in fcntl Kangjie Lu
2016-05-08 10:41 ` Christoph Hellwig
2016-05-08 12:58 ` Richard Weinberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=572FA936.30802@nod.at \
--to=richard@nod.at \
--cc=bfields@fieldses.org \
--cc=insu@gatech.edu \
--cc=jlayton@poochiereds.net \
--cc=kangjielu@gmail.com \
--cc=kjlu@gatech.edu \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=taesoo@gatech.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.