* [PATCH] net: core: scm: fix information leak to userland
@ 2010-10-30 14:26 Vasiliy Kulikov
2010-10-30 14:33 ` Eric Dumazet
2010-10-30 19:12 ` David Miller
0 siblings, 2 replies; 4+ messages in thread
From: Vasiliy Kulikov @ 2010-10-30 14:26 UTC (permalink / raw)
To: kernel-janitors
Cc: David S. Miller, Eric W. Biederman, Eric Dumazet, Tejun Heo,
Serge E. Hallyn, netdev, linux-kernel
Structure cmsghdr is copied to userland with padding bytes
unitialized on architectures where __kernel_size_t is unsigned long.
It leads to leaking of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
---
Compile tested.
net/core/scm.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/core/scm.c b/net/core/scm.c
index 413cab8..a4a9b70 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -233,6 +233,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
msg->msg_flags |= MSG_CTRUNC;
cmlen = msg->msg_controllen;
}
+ memset(&cmhdr, 0, sizeof(cmhdr));
cmhdr.cmsg_level = level;
cmhdr.cmsg_type = type;
cmhdr.cmsg_len = cmlen;
--
1.7.0.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] net: core: scm: fix information leak to userland
2010-10-30 14:26 [PATCH] net: core: scm: fix information leak to userland Vasiliy Kulikov
@ 2010-10-30 14:33 ` Eric Dumazet
2010-10-30 14:50 ` Vasiliy Kulikov
2010-10-30 19:12 ` David Miller
1 sibling, 1 reply; 4+ messages in thread
From: Eric Dumazet @ 2010-10-30 14:33 UTC (permalink / raw)
To: Vasiliy Kulikov
Cc: kernel-janitors, David S. Miller, Eric W. Biederman, Tejun Heo,
Serge E. Hallyn, netdev, linux-kernel
Le samedi 30 octobre 2010 à 18:26 +0400, Vasiliy Kulikov a écrit :
> Structure cmsghdr is copied to userland with padding bytes
> unitialized on architectures where __kernel_size_t is unsigned long.
> It leads to leaking of contents of kernel stack memory.
>
> Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
> ---
> Compile tested.
>
> net/core/scm.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/net/core/scm.c b/net/core/scm.c
> index 413cab8..a4a9b70 100644
> --- a/net/core/scm.c
> +++ b/net/core/scm.c
> @@ -233,6 +233,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
> msg->msg_flags |= MSG_CTRUNC;
> cmlen = msg->msg_controllen;
> }
> + memset(&cmhdr, 0, sizeof(cmhdr));
> cmhdr.cmsg_level = level;
> cmhdr.cmsg_type = type;
> cmhdr.cmsg_len = cmlen;
???
struct cmsghdr {
__kernel_size_t cmsg_len; /* data byte count, including hdr */
int cmsg_level; /* originating protocol */
int cmsg_type; /* protocol-specific type */
};
Could you explain where are the padding bytes ?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] net: core: scm: fix information leak to userland
2010-10-30 14:33 ` Eric Dumazet
@ 2010-10-30 14:50 ` Vasiliy Kulikov
0 siblings, 0 replies; 4+ messages in thread
From: Vasiliy Kulikov @ 2010-10-30 14:50 UTC (permalink / raw)
To: Eric Dumazet
Cc: kernel-janitors, David S. Miller, Eric W. Biederman, Tejun Heo,
Serge E. Hallyn, netdev, linux-kernel
On Sat, Oct 30, 2010 at 16:33 +0200, Eric Dumazet wrote:
> Le samedi 30 octobre 2010 à 18:26 +0400, Vasiliy Kulikov a écrit :
> > Structure cmsghdr is copied to userland with padding bytes
> > unitialized on architectures where __kernel_size_t is unsigned long.
> > It leads to leaking of contents of kernel stack memory.
> >
> > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
> > ---
> > Compile tested.
> >
> > net/core/scm.c | 1 +
> > 1 files changed, 1 insertions(+), 0 deletions(-)
> >
> > diff --git a/net/core/scm.c b/net/core/scm.c
> > index 413cab8..a4a9b70 100644
> > --- a/net/core/scm.c
> > +++ b/net/core/scm.c
> > @@ -233,6 +233,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
> > msg->msg_flags |= MSG_CTRUNC;
> > cmlen = msg->msg_controllen;
> > }
> > + memset(&cmhdr, 0, sizeof(cmhdr));
> > cmhdr.cmsg_level = level;
> > cmhdr.cmsg_type = type;
> > cmhdr.cmsg_len = cmlen;
>
>
> ???
>
> struct cmsghdr {
> __kernel_size_t cmsg_len; /* data byte count, including hdr */
> int cmsg_level; /* originating protocol */
> int cmsg_type; /* protocol-specific type */
> };
>
> Could you explain where are the padding bytes ?
Ah, sorry, nowhere :) int is stored quite OK after long. Please ignore this patch.
Thanks,
--
Vasiliy
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] net: core: scm: fix information leak to userland
2010-10-30 14:26 [PATCH] net: core: scm: fix information leak to userland Vasiliy Kulikov
2010-10-30 14:33 ` Eric Dumazet
@ 2010-10-30 19:12 ` David Miller
1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2010-10-30 19:12 UTC (permalink / raw)
To: segooon
Cc: kernel-janitors, ebiederm, eric.dumazet, tj, serge, netdev,
linux-kernel
Your patches are almost entirely baseless.
You haven't even made an effort to show a real case, in detail,
where your patches actually fix a bug. The CMSG case shows
that you didn't even bother to look at the assembly of even
one architecture to see if padding bytes even existed in the
structure, and that furthermore even if they existed that they
would leak out ever.
I don't even buy the "preventative nature" argument for the
address[128] thing. If a protocol is leaking kernel memory in that
case, it also isn't filling in the address value properly, which is a
bug times two.
I absolutely am not applying these patches, sorry.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-10-30 19:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-30 14:26 [PATCH] net: core: scm: fix information leak to userland Vasiliy Kulikov
2010-10-30 14:33 ` Eric Dumazet
2010-10-30 14:50 ` Vasiliy Kulikov
2010-10-30 19:12 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).