* [PATCH 1/2] block: cciss: fix information leak to userland @ 2010-10-23 8:25 Vasiliy Kulikov 2010-10-25 14:03 ` scameron 2010-10-25 14:40 ` Miller, Mike (OS Dev) 0 siblings, 2 replies; 5+ messages in thread From: Vasiliy Kulikov @ 2010-10-23 8:25 UTC (permalink / raw) To: kernel-janitors Cc: Mike Miller, Jens Axboe, Stephen M. Cameron, Andrew Morton, iss_storagedev, linux-kernel Structure IOCTL_Command_struct is copied to userland with some padding fields at the end of the struct unitialized. It leads to leaking of stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> --- drivers/block/cciss.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c index 762a81a..cd08324 100644 --- a/drivers/block/cciss.c +++ b/drivers/block/cciss.c @@ -1142,6 +1142,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, int err; u32 cp; + memset(&arg64, 0, sizeof(arg64)); err = 0; err | copy_from_user(&arg64.LUN_info, &arg32->LUN_info, -- 1.7.0.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] block: cciss: fix information leak to userland 2010-10-23 8:25 [PATCH 1/2] block: cciss: fix information leak to userland Vasiliy Kulikov @ 2010-10-25 14:03 ` scameron 2010-10-25 14:40 ` Miller, Mike (OS Dev) 1 sibling, 0 replies; 5+ messages in thread From: scameron @ 2010-10-25 14:03 UTC (permalink / raw) To: Vasiliy Kulikov Cc: kernel-janitors, Mike Miller, Jens Axboe, Andrew Morton, iss_storagedev, linux-kernel, scameron On Sat, Oct 23, 2010 at 12:25:11PM +0400, Vasiliy Kulikov wrote: > Structure IOCTL_Command_struct is copied to userland with some > padding fields at the end of the struct unitialized. > It leads to leaking of stack memory. leaking of contents of kernel stack memory to userland, not a memory leak, just to be clear. > > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> > --- > drivers/block/cciss.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c > index 762a81a..cd08324 100644 > --- a/drivers/block/cciss.c > +++ b/drivers/block/cciss.c > @@ -1142,6 +1142,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, > int err; > u32 cp; > > + memset(&arg64, 0, sizeof(arg64)); > err = 0; > err |> copy_from_user(&arg64.LUN_info, &arg32->LUN_info, > -- > 1.7.0.4 Ack. Thanks. I would think hpsa needs a similar fix, and also cciss_ioctl32_big_passthru(). I suppose it's possible the big passthru alignment just "works out", (I haven't checked), but even if that is the case, probably best not to rely on such an accident, -- steve ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [PATCH 1/2] block: cciss: fix information leak to userland 2010-10-23 8:25 [PATCH 1/2] block: cciss: fix information leak to userland Vasiliy Kulikov 2010-10-25 14:03 ` scameron @ 2010-10-25 14:40 ` Miller, Mike (OS Dev) 2010-10-25 16:36 ` Miller, Mike (OS Dev) 1 sibling, 1 reply; 5+ messages in thread From: Miller, Mike (OS Dev) @ 2010-10-25 14:40 UTC (permalink / raw) To: Vasiliy Kulikov, kernel-janitors@vger.kernel.org Cc: Jens Axboe, Stephen M. Cameron, Andrew Morton, ISS StorageDev, linux-kernel@vger.kernel.org > -----Original Message----- > From: Vasiliy Kulikov [mailto:segooon@gmail.com] > Sent: Saturday, October 23, 2010 3:25 AM > To: kernel-janitors@vger.kernel.org > Cc: Miller, Mike (OS Dev); Jens Axboe; Stephen M. Cameron; > Andrew Morton; ISS StorageDev; linux-kernel@vger.kernel.org > Subject: [PATCH 1/2] block: cciss: fix information leak to userland > > Structure IOCTL_Command_struct is copied to userland with > some padding fields at the end of the struct unitialized. > It leads to leaking of stack memory. > > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> > --- > drivers/block/cciss.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c > index 762a81a..cd08324 100644 > --- a/drivers/block/cciss.c > +++ b/drivers/block/cciss.c > @@ -1142,6 +1142,7 @@ static int > cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, > int err; > u32 cp; > > + memset(&arg64, 0, sizeof(arg64)); > err = 0; > err |> copy_from_user(&arg64.LUN_info, &arg32->LUN_info, > -- Acked-by: Mike Miller <mike.miller@hp.com> > 1.7.0.4 > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [PATCH 1/2] block: cciss: fix information leak to userland 2010-10-25 14:40 ` Miller, Mike (OS Dev) @ 2010-10-25 16:36 ` Miller, Mike (OS Dev) 2010-10-27 15:43 ` Vasiliy Kulikov 0 siblings, 1 reply; 5+ messages in thread From: Miller, Mike (OS Dev) @ 2010-10-25 16:36 UTC (permalink / raw) To: Miller, Mike (OS Dev), Vasiliy Kulikov, kernel-janitors@vger.kernel.org Cc: Jens Axboe, Stephen M. Cameron, Andrew Morton, ISS StorageDev, linux-kernel@vger.kernel.org > -----Original Message----- > From: Miller, Mike (OS Dev) > Sent: Monday, October 25, 2010 9:41 AM > To: Vasiliy Kulikov; kernel-janitors@vger.kernel.org > Cc: Jens Axboe; Stephen M. Cameron; Andrew Morton; ISS StorageDev; > linux-kernel@vger.kernel.org > Subject: RE: [PATCH 1/2] block: cciss: fix information leak to userland > > > > > -----Original Message----- > > From: Vasiliy Kulikov [mailto:segooon@gmail.com] > > Sent: Saturday, October 23, 2010 3:25 AM > > To: kernel-janitors@vger.kernel.org > > Cc: Miller, Mike (OS Dev); Jens Axboe; Stephen M. Cameron; > > Andrew Morton; ISS StorageDev; linux-kernel@vger.kernel.org > > Subject: [PATCH 1/2] block: cciss: fix information leak to userland > > > > Structure IOCTL_Command_struct is copied to userland with > > some padding fields at the end of the struct unitialized. > > It leads to leaking of stack memory. > > > > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> > > --- > > drivers/block/cciss.c | 1 + > > 1 files changed, 1 insertions(+), 0 deletions(-) > > > > diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c > > index 762a81a..cd08324 100644 > > --- a/drivers/block/cciss.c > > +++ b/drivers/block/cciss.c > > @@ -1142,6 +1142,7 @@ static int > > cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, > > int err; > > u32 cp; > > > > + memset(&arg64, 0, sizeof(arg64)); > > err = 0; > > err |> > copy_from_user(&arg64.LUN_info, &arg32->LUN_info, > > -- > > Acked-by: Mike Miller <mike.miller@hp.com> BTW: this change needs to go into the cciss_ioctl32_big_passthru and the other passthru ioctls, also. -- mikem > > > 1.7.0.4 > > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] block: cciss: fix information leak to userland 2010-10-25 16:36 ` Miller, Mike (OS Dev) @ 2010-10-27 15:43 ` Vasiliy Kulikov 0 siblings, 0 replies; 5+ messages in thread From: Vasiliy Kulikov @ 2010-10-27 15:43 UTC (permalink / raw) To: Miller, Mike (OS Dev) Cc: kernel-janitors@vger.kernel.org, Jens Axboe, Stephen M. Cameron, Andrew Morton, ISS StorageDev, linux-kernel@vger.kernel.org Hi Mike, On Mon, Oct 25, 2010 at 16:36 +0000, Miller, Mike (OS Dev) wrote: > > > > -----Original Message----- > > From: Miller, Mike (OS Dev) > > Sent: Monday, October 25, 2010 9:41 AM > > To: Vasiliy Kulikov; kernel-janitors@vger.kernel.org > > Cc: Jens Axboe; Stephen M. Cameron; Andrew Morton; ISS StorageDev; > > linux-kernel@vger.kernel.org > > Subject: RE: [PATCH 1/2] block: cciss: fix information leak to userland > > > > > > > > > -----Original Message----- > > > From: Vasiliy Kulikov [mailto:segooon@gmail.com] > > > Sent: Saturday, October 23, 2010 3:25 AM > > > To: kernel-janitors@vger.kernel.org > > > Cc: Miller, Mike (OS Dev); Jens Axboe; Stephen M. Cameron; > > > Andrew Morton; ISS StorageDev; linux-kernel@vger.kernel.org > > > Subject: [PATCH 1/2] block: cciss: fix information leak to userland > > > > > > Structure IOCTL_Command_struct is copied to userland with > > > some padding fields at the end of the struct unitialized. > > > It leads to leaking of stack memory. > > > > > > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> > > > --- > > > drivers/block/cciss.c | 1 + > > > 1 files changed, 1 insertions(+), 0 deletions(-) > > > > > > diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c > > > index 762a81a..cd08324 100644 > > > --- a/drivers/block/cciss.c > > > +++ b/drivers/block/cciss.c > > > @@ -1142,6 +1142,7 @@ static int > > > cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, > > > int err; > > > u32 cp; > > > > > > + memset(&arg64, 0, sizeof(arg64)); > > > err = 0; > > > err |> > > copy_from_user(&arg64.LUN_info, &arg32->LUN_info, > > > -- > > > > Acked-by: Mike Miller <mike.miller@hp.com> > > BTW: this change needs to go into the cciss_ioctl32_big_passthru I've sent the patch, thanks. > and the other passthru ioctls, also. I don't see problems with them, they do copy_from_user() before filling the structure. > > -- mikem > > > > > > 1.7.0.4 > > > > > > Thanks, -- Vasiliy ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-10-27 15:43 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-10-23 8:25 [PATCH 1/2] block: cciss: fix information leak to userland Vasiliy Kulikov 2010-10-25 14:03 ` scameron 2010-10-25 14:40 ` Miller, Mike (OS Dev) 2010-10-25 16:36 ` Miller, Mike (OS Dev) 2010-10-27 15:43 ` Vasiliy Kulikov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox