From: Dan Carpenter <error27@gmail.com>
To: Changli Gao <xiaosuo@gmail.com>
Cc: Karsten Keil <isdn@linux-pingi.de>,
netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] isdn: fix information leak
Date: Thu, 5 Aug 2010 15:55:11 +0200 [thread overview]
Message-ID: <20100805134910.GJ9031@bicker> (raw)
In-Reply-To: <AANLkTikGNr8aVV7Rryq_dvSuYjUbEo_gRDLW3d49YwF-@mail.gmail.com>
First of all, I'm happy that you're reviewing these patches. A lot of
learner, often untested, patches go through kernel-janitors and the
entire purpose of the list is to check each other's work.
Here is what I meant by an information leak. The original code did:
spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
...
strcpy(spid, rcvmsg->msg_data.byte_array);
...
if (copy_to_user(data->dataptr, spid, SCIOC_SPIDSIZE)) {
When you allocate memory with kmalloc() it doesn't clear that memory. It
could have anything in there including passwords etc. If there is a
short string in "rcvmsg->msg_data.byte_array" like "123" then the
strcpy() puts that in the first 4 bytes of "spid", but the rest of the
buffer is still full of passwords.
The copy_to_user() sends it to the user, and normally the user only reads
as far as the terminator, but if they read past that then they would see
all the passwords etc that were saved there.
This function is in the ioctl() probably only root has open() permission
on the device so it's not a big deal because root can already find your
password. But I didn't dig that far. It's just simpler to zero out the
memory instead of worrying about if it really is exploitable or not.
Also it's quite possible that the strcpy can't overflow. But it's weird
for the code to leave space for the terminator and then not use it. In
the end, I decided to do the cautious thing and be done with it.
regards,
dan carpenter
next prev parent reply other threads:[~2010-08-05 13:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-05 9:38 [patch] isdn: fix information leak Dan Carpenter
2010-08-05 10:08 ` Changli Gao
2010-08-05 10:19 ` Dan Carpenter
2010-08-05 11:02 ` Changli Gao
2010-08-05 11:37 ` Dan Carpenter
2010-08-05 13:18 ` Changli Gao
2010-08-05 13:24 ` Changli Gao
2010-08-05 13:55 ` Dan Carpenter [this message]
2010-08-05 13:59 ` Changli Gao
2010-08-05 20:21 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100805134910.GJ9031@bicker \
--to=error27@gmail.com \
--cc=isdn@linux-pingi.de \
--cc=kernel-janitors@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=xiaosuo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).