From: Bryan Rittmeyer <bryan@ixiacom.com>
To: Warchild <warchild@spoofed.org>
Cc: linux-kernel@vger.kernel.org
Subject: Re: remote memory reading using arp?
Date: Sat, 27 Apr 2002 13:48:43 -0700 [thread overview]
Message-ID: <3CCB0EAB.9050602@ixiacom.com> (raw)
In-Reply-To: <20020427202756.GC6240@spoofed.org>
Warchild wrote:
> [oh my god, i see userspace text strings in ARP packets]
>
> I couldn't find anything in the archives about this, and also didn't see
> any changes in the arp implementation of the 2.4 kernel between 2.4.16 and
> 2.4.18. I also browsed rfc826 to see if there was any mention of 'padding
> data', but nothing caught my eye.
>
> Any ideas what is causing this?
It's not the ARP layer that's causing the padding... Ethernet has a
minimum transmit size of 64 bytes (everything below that is disgarded
by hardware as a fragment), so the network device driver or
the hardware itself will pad any Linux skb smaller than 60 bytes up to
that size (so that it's 64 bytes after appending CRC32). Apparently, in
some cases that's done by just transmitting whatever uninitialized
memory follows skb->data, which, after the system has been running
for a while, may be inside a page previously used by userspace.
This is NOT a "remote memory reading" exploit, since there is no way to
remotely control what address in memory gets used as padding. I guess
you could packet blast a machine and hope to find something
interesting, but that'd be a denial of service attack long before you
got a complete view of system memory. In any case, it's arguably
userspace's responsibility to clear any sensitive memory contents
before exiting. I would be more concerned if you can find data
from currently in use, userspace-allocated pages flying out as packet
padding (i.e. if reading past skb->data pushes you into somebody else's
page, which seems unlikely since new skb's tend to get allocated near
the beginning of a page).
If you are really concerned you could probably patch the network driver
to zero out memory that will be used as padding, though I don't think
the security risk justifies that performance hit.
-Bryan
next prev parent reply other threads:[~2002-04-27 20:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-04-27 20:27 remote memory reading using arp? Warchild
2002-04-27 20:48 ` Bryan Rittmeyer [this message]
2002-04-27 21:19 ` Warchild
[not found] <20020427202756.GC6240@spoofed.org.suse.lists.linux.kernel>
[not found] ` <3CCB0EAB.9050602@ixiacom.com.suse.lists.linux.kernel>
2002-04-28 12:26 ` Andi Kleen
2002-04-28 17:47 ` warchild
2002-04-29 15:24 ` Calin A. Culianu
2002-04-29 15:31 ` Andi Kleen
2002-04-30 3:04 ` warchild
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3CCB0EAB.9050602@ixiacom.com \
--to=bryan@ixiacom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=warchild@spoofed.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox