[PATCH] fix infoleak in fcntl

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] fix infoleak in fcntl
@ 2016-05-03 20:34 Kangjie Lu
  2016-05-08 10:41 ` Christoph Hellwig
  2016-05-08 12:58 ` Richard Weinberger
  0 siblings, 2 replies; 4+ messages in thread
From: Kangjie Lu @ 2016-05-03 20:34 UTC (permalink / raw)
  To: jlayton
  Cc: bfields, viro, linux-fsdevel, linux-kernel, taesoo, insu,
	Kangjie Lu

The stack object “si” has a total size of 128 bytes; however, only
16 bytes are initialized. The remaining uninitialized bytes are
sent to userland via send_signal.

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
---
 fs/fcntl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/fcntl.c b/fs/fcntl.c
index 350a2c8..d06f943 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -468,6 +468,7 @@ static void send_sigio_to_task(struct task_struct *p,
 			   delivered even if we can't queue.  Failure to
 			   queue in this case _should_ be reported; we fall
 			   back to SIGIO in that case. --sct */
+			memset(&si, 0, sizeof(si));
 			si.si_signo = signum;
 			si.si_errno = 0;
 		        si.si_code  = reason;
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] fix infoleak in fcntl
  2016-05-03 20:34 [PATCH] fix infoleak in fcntl Kangjie Lu
@ 2016-05-08 10:41 ` Christoph Hellwig
  2016-05-08 12:58 ` Richard Weinberger
  1 sibling, 0 replies; 4+ messages in thread
From: Christoph Hellwig @ 2016-05-08 10:41 UTC (permalink / raw)
  To: Kangjie Lu
  Cc: jlayton, bfields, viro, linux-fsdevel, linux-kernel, taesoo, insu,
	Kangjie Lu

On Tue, May 03, 2016 at 04:34:09PM -0400, Kangjie Lu wrote:
> The stack object ???si??? has a total size of 128 bytes; however, only
> 16 bytes are initialized. The remaining uninitialized bytes are
> sent to userland via send_signal.
> 
> Signed-off-by: Kangjie Lu <kjlu@gatech.edu>

Looks fine,

Reviewed-by: Christoph Hellwig <hch@lst.de>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] fix infoleak in fcntl
  2016-05-03 20:34 [PATCH] fix infoleak in fcntl Kangjie Lu
  2016-05-08 10:41 ` Christoph Hellwig
@ 2016-05-08 12:58 ` Richard Weinberger
  1 sibling, 0 replies; 4+ messages in thread
From: Richard Weinberger @ 2016-05-08 12:58 UTC (permalink / raw)
  To: Kangjie Lu
  Cc: Jeff Layton, Bruce Fields, Al Viro, linux-fsdevel, LKML, taesoo,
	insu, Kangjie Lu

On Tue, May 3, 2016 at 10:34 PM, Kangjie Lu <kangjielu@gmail.com> wrote:
> The stack object “si” has a total size of 128 bytes; however, only
> 16 bytes are initialized. The remaining uninitialized bytes are
> sent to userland via send_signal.

How did you find all these leaks?
Since you sent more than one patch I guess you used some tool, which one?

-- 
Thanks,
//richard

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <CABEk9Yy6qa+B0BuGAr8ERuojtmKJgB0SHcm3OD50gCPUqX=O+g@mail.gmail.com>]

* Re: [PATCH] fix infoleak in fcntl
       [not found] <CABEk9Yy6qa+B0BuGAr8ERuojtmKJgB0SHcm3OD50gCPUqX=O+g@mail.gmail.com>
@ 2016-05-08 21:01 ` Richard Weinberger
  0 siblings, 0 replies; 4+ messages in thread
From: Richard Weinberger @ 2016-05-08 21:01 UTC (permalink / raw)
  To: Kangjie Lu
  Cc: Jeff Layton, Bruce Fields, Al Viro, linux-fsdevel, LKML,
	Taesoo Kim, Insu Yun, Kangjie Lu

Am 08.05.2016 um 17:40 schrieb Kangjie Lu:
> 
> 
> On Sun, May 8, 2016 at 8:58 AM, Richard Weinberger <richard.weinberger@gmail.com <mailto:richard.weinberger@gmail.com>> wrote:
> 
>     On Tue, May 3, 2016 at 10:34 PM, Kangjie Lu <kangjielu@gmail.com <mailto:kangjielu@gmail.com>> wrote:
>     > The stack object “si” has a total size of 128 bytes; however, only
>     > 16 bytes are initialized. The remaining uninitialized bytes are
>     > sent to userland via send_signal.
> 
>     How did you find all these leaks?
>     Since you sent more than one patch I guess you used some tool, which one?
> 
> 
> Yes. Since there are *so many* infoleak vulnerabilities in the kernel, we are writing a
> static checker to find them.  We plan to release it once it is done, so people can use
> it to find more bugs in kernel or even other user space programs.

How does your tool work?
I'd guess it tries to find uninitialized structs passed into copy_to_user().

Thanks,
//richard

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-05-08 21:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-03 20:34 [PATCH] fix infoleak in fcntl Kangjie Lu
2016-05-08 10:41 ` Christoph Hellwig
2016-05-08 12:58 ` Richard Weinberger
     [not found] <CABEk9Yy6qa+B0BuGAr8ERuojtmKJgB0SHcm3OD50gCPUqX=O+g@mail.gmail.com>
2016-05-08 21:01 ` Richard Weinberger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).