From: Warchild <warchild@spoofed.org>
To: Bryan Rittmeyer <bryan@ixiacom.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: remote memory reading using arp?
Date: Sat, 27 Apr 2002 17:19:02 -0400 [thread overview]
Message-ID: <20020427211902.GD6240@spoofed.org> (raw)
In-Reply-To: <20020427202756.GC6240@spoofed.org> <3CCB0EAB.9050602@ixiacom.com>
On Sat, Apr 27, 2002 at 01:48:43PM -0700, Bryan Rittmeyer wrote:
> > [oh my god, i see userspace text strings in ARP packets]
*sigh*
> It's not the ARP layer that's causing the padding... Ethernet has a
> minimum transmit size of 64 bytes (everything below that is disgarded
> by hardware as a fragment), so the network device driver or
> the hardware itself will pad any Linux skb smaller than 60 bytes up to
> that size (so that it's 64 bytes after appending CRC32). Apparently, in
> some cases that's done by just transmitting whatever uninitialized
> memory follows skb->data, which, after the system has been running
> for a while, may be inside a page previously used by userspace.
That makes perfect sense. Thanks for the explanation.
> This is NOT a "remote memory reading" exploit, since there is no way to
> remotely control what address in memory gets used as padding. I guess
> you could packet blast a machine and hope to find something
> interesting, but that'd be a denial of service attack long before you
> got a complete view of system memory. In any case, it's arguably
> userspace's responsibility to clear any sensitive memory contents
> before exiting. I would be more concerned if you can find data
> from currently in use, userspace-allocated pages flying out as packet
> padding (i.e. if reading past skb->data pushes you into somebody else's
> page, which seems unlikely since new skb's tend to get allocated near
> the beginning of a page).
Correct. It'd take far too long and I'd go cross-eyed long before I got
anything other than useless garbage. Isn't this similar to the bug within
the last year that dealt with userland memory disclosure via tcp/icmp? What
was the "verdict" with that?
Please note that nowhere in my email did I use the word exploit.
> If you are really concerned you could probably patch the network driver
> to zero out memory that will be used as padding, though I don't think
> the security risk justifies that performance hit.
Agreed. It doesn't bother me much at all. I was just curious what was
going on.
thanks, and keep up the good work,
-warchild
next prev parent reply other threads:[~2002-04-27 21:15 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-04-27 20:27 remote memory reading using arp? Warchild
2002-04-27 20:48 ` Bryan Rittmeyer
2002-04-27 21:19 ` Warchild [this message]
[not found] <20020427202756.GC6240@spoofed.org.suse.lists.linux.kernel>
[not found] ` <3CCB0EAB.9050602@ixiacom.com.suse.lists.linux.kernel>
2002-04-28 12:26 ` Andi Kleen
2002-04-28 17:47 ` warchild
2002-04-29 15:24 ` Calin A. Culianu
2002-04-29 15:31 ` Andi Kleen
2002-04-30 3:04 ` warchild
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020427211902.GD6240@spoofed.org \
--to=warchild@spoofed.org \
--cc=bryan@ixiacom.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox