From: Vasiliy Kulikov <segooon@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: kernel-janitors@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: core: sock: fix information leak to userland
Date: Sat, 30 Oct 2010 18:49:51 +0400 [thread overview]
Message-ID: <20101030144951.GA25135@albatros> (raw)
In-Reply-To: <1288449350.2680.970.camel@edumazet-laptop>
On Sat, Oct 30, 2010 at 16:35 +0200, Eric Dumazet wrote:
> Le samedi 30 octobre 2010 à 18:26 +0400, Vasiliy Kulikov a écrit :
> > "Address" variable might be not fully initialized in sock->ops->get_name().
> > The only current implementation is get_name(), it leaves some padding
> > fields of sockaddr_tipc uninitialized. It leads to leaking of contents
> > of kernel stack memory.
> >
> > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
> > ---
> > Compile tested.
> >
> > net/core/sock.c | 1 +
> > 1 files changed, 1 insertions(+), 0 deletions(-)
> >
> > diff --git a/net/core/sock.c b/net/core/sock.c
> > index 3eed542..759dd81 100644
> > --- a/net/core/sock.c
> > +++ b/net/core/sock.c
> > @@ -930,6 +930,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
> > {
> > char address[128];
> >
> > + memset(&address, 0, sizeof(address));
> > if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2))
> > return -ENOTCONN;
> > if (lv < len)
>
> ???
>
> Please fix the real bug.
What if somebody want to create his own implementation of getname()?
IMO it's much safer to introduce memset() here and relax getname()'s
responsibilities. Quite many drivers "forget" to initialize outputs
structures. E.g. new net_device's private field is kzalloc'ed to
simplify driver's code.
--
Vasiliy
prev parent reply other threads:[~2010-10-30 14:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-30 14:26 [PATCH] net: core: sock: fix information leak to userland Vasiliy Kulikov
2010-10-30 14:35 ` Eric Dumazet
2010-10-30 14:49 ` Vasiliy Kulikov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101030144951.GA25135@albatros \
--to=segooon@gmail.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paulmck@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).