* [RFC bluetooth-next 0/2] ieee802154: socket: fix buffer overflow
@ 2015-01-10 22:33 Alexander Aring
2015-01-10 22:33 ` [RFC bluetooth-next 1/2] af_ieee802154: fix struct ieee802154_addr_sa size Alexander Aring
2015-01-10 22:33 ` [RFC bluetooth-next 2/2] ieee802154: socket: add BUILD_BUG_ON for cast check Alexander Aring
0 siblings, 2 replies; 4+ messages in thread
From: Alexander Aring @ 2015-01-10 22:33 UTC (permalink / raw)
To: linux-bluetooth; +Cc: linux-wpan, kernel, marcel, werner, mkl, Alexander Aring
Hi,
this is some critical bug fix here and I don't know how do deal with that now.
I don't know if you can "get root" by this security issue. But the socket interface
can be simple loaded by user via module-autoloading while using the address family.
Maybe there is no security issue and the buffers are cutted off. I don't know, but
there is definitely something wrong here.
In my opinion af_ieee802154 should go to stable (bluetooth), but this will break
the complete userspace interface for every application. I think there are no many
users so I will simple send
Patch 1/2 "af_ieee802154: fix struct ieee802154_addr_sa size"
to bluetooth. This is a RFC to talk about this issue and if somebody knows a better
way please tell that here. Note also all userspace applications need to be updated
after this patch. I really don't know how to deal with such issue and CC here a lot
of well known linux hackers and would be glad if I get any suggestions about that.
Or maybe I should go to the netdev mailinglist with this issue.
- Alex
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Werner Almesberger <werner@almesberger.net>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Alexander Aring (2):
af_ieee802154: fix struct ieee802154_addr_sa size
ieee802154: socket: add BUILD_BUG_ON for cast check
include/net/af_ieee802154.h | 2 +-
net/ieee802154/socket.c | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
--
2.2.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [RFC bluetooth-next 1/2] af_ieee802154: fix struct ieee802154_addr_sa size
2015-01-10 22:33 [RFC bluetooth-next 0/2] ieee802154: socket: fix buffer overflow Alexander Aring
@ 2015-01-10 22:33 ` Alexander Aring
2015-01-13 12:33 ` Phoebe Buckheister
2015-01-10 22:33 ` [RFC bluetooth-next 2/2] ieee802154: socket: add BUILD_BUG_ON for cast check Alexander Aring
1 sibling, 1 reply; 4+ messages in thread
From: Alexander Aring @ 2015-01-10 22:33 UTC (permalink / raw)
To: linux-bluetooth; +Cc: linux-wpan, kernel, marcel, werner, mkl, Alexander Aring
The structure "ieee802154_addr_sa" need to fit into the u8 sa_data[14]
from struct sockaddr, because there is a casting of "struct sockaddr" and
"struct ieee802154_sockaddr".
I tested a compiling with a 32 bit system and detected that the "struct
ieee802154_sockaddr", which contains the ieee802154_addr_sa structure, has a
size of 20 bytes. The "struct sockaddr" has a size of 16 bytes. This doesn't
fit together and some buffers are overflows. This patch changes the
"addr_type" type definition from "int" to "u8". After this change it will be
fits together.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
---
include/net/af_ieee802154.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/af_ieee802154.h b/include/net/af_ieee802154.h
index 7d38e2f..3652269 100644
--- a/include/net/af_ieee802154.h
+++ b/include/net/af_ieee802154.h
@@ -33,7 +33,7 @@ enum {
#define IEEE802154_ADDR_LEN 8
struct ieee802154_addr_sa {
- int addr_type;
+ u8 addr_type;
u16 pan_id;
union {
u8 hwaddr[IEEE802154_ADDR_LEN];
--
2.2.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [RFC bluetooth-next 1/2] af_ieee802154: fix struct ieee802154_addr_sa size
2015-01-10 22:33 ` [RFC bluetooth-next 1/2] af_ieee802154: fix struct ieee802154_addr_sa size Alexander Aring
@ 2015-01-13 12:33 ` Phoebe Buckheister
0 siblings, 0 replies; 4+ messages in thread
From: Phoebe Buckheister @ 2015-01-13 12:33 UTC (permalink / raw)
To: Alexander Aring; +Cc: linux-bluetooth, linux-wpan, kernel, marcel, werner, mkl
Hi,
On Sat, 10 Jan 2015 23:33:25 +0100
Alexander Aring <alex.aring@gmail.com> wrote:
> The structure "ieee802154_addr_sa" need to fit into the u8 sa_data[14]
> from struct sockaddr, because there is a casting of "struct sockaddr"
> and "struct ieee802154_sockaddr".
>
> I tested a compiling with a 32 bit system and detected that the
> "struct ieee802154_sockaddr", which contains the ieee802154_addr_sa
> structure, has a size of 20 bytes. The "struct sockaddr" has a size
> of 16 bytes. This doesn't fit together and some buffers are
> overflows. This patch changes the "addr_type" type definition from
> "int" to "u8". After this change it will be fits together.
Do look at how Unix domain sockets handle the problem. Also, IPv6
addresses exceed sizeof(struct sockaddr) quite significantly. Casting
pointers isn't a problem, only if we *ever* store our addrs to a struct
sockaddr will we have a problem.
Perhaps I am missing something, but from what I can tell, i think the
code is safe at least in that regard.
> Signed-off-by: Alexander Aring <alex.aring@gmail.com>
> ---
> include/net/af_ieee802154.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/net/af_ieee802154.h b/include/net/af_ieee802154.h
> index 7d38e2f..3652269 100644
> --- a/include/net/af_ieee802154.h
> +++ b/include/net/af_ieee802154.h
> @@ -33,7 +33,7 @@ enum {
> #define IEEE802154_ADDR_LEN 8
>
> struct ieee802154_addr_sa {
> - int addr_type;
> + u8 addr_type;
> u16 pan_id;
> union {
> u8 hwaddr[IEEE802154_ADDR_LEN];
^ permalink raw reply [flat|nested] 4+ messages in thread
* [RFC bluetooth-next 2/2] ieee802154: socket: add BUILD_BUG_ON for cast check
2015-01-10 22:33 [RFC bluetooth-next 0/2] ieee802154: socket: fix buffer overflow Alexander Aring
2015-01-10 22:33 ` [RFC bluetooth-next 1/2] af_ieee802154: fix struct ieee802154_addr_sa size Alexander Aring
@ 2015-01-10 22:33 ` Alexander Aring
1 sibling, 0 replies; 4+ messages in thread
From: Alexander Aring @ 2015-01-10 22:33 UTC (permalink / raw)
To: linux-bluetooth; +Cc: linux-wpan, kernel, marcel, werner, mkl, Alexander Aring
This patch adds an overdue BUILD_BUG_ON size check that the
"struct sockaddr_ieee802154" is never greater than the
"struct sockaddr". The IEEE 802.15.4 will cast the "struct sockaddr" to
struct sockaddr_ieee802154" at several places.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
---
net/ieee802154/socket.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index 2878d8c..9c09291 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -1085,6 +1085,9 @@ static int __init af_ieee802154_init(void)
{
int rc = -EINVAL;
+ BUILD_BUG_ON(sizeof(struct sockaddr_ieee802154) >
+ sizeof(struct sockaddr));
+
rc = proto_register(&ieee802154_raw_prot, 1);
if (rc)
goto out;
--
2.2.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-01-13 12:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-10 22:33 [RFC bluetooth-next 0/2] ieee802154: socket: fix buffer overflow Alexander Aring
2015-01-10 22:33 ` [RFC bluetooth-next 1/2] af_ieee802154: fix struct ieee802154_addr_sa size Alexander Aring
2015-01-13 12:33 ` Phoebe Buckheister
2015-01-10 22:33 ` [RFC bluetooth-next 2/2] ieee802154: socket: add BUILD_BUG_ON for cast check Alexander Aring
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).