* [PATCH 1/3] net: ax25: fix information leak to userland @ 2010-10-31 17:10 Vasiliy Kulikov 2010-10-31 18:00 ` Ralf Baechle 2010-10-31 18:08 ` Eric Dumazet 0 siblings, 2 replies; 3+ messages in thread From: Vasiliy Kulikov @ 2010-10-31 17:10 UTC (permalink / raw) To: kernel-janitors Cc: Joerg Reuter, Ralf Baechle, David S. Miller, linux-hams, netdev, linux-kernel Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater field of fsa struct. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> --- net/ax25/af_ax25.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 26eaebf..a324d83 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr, ax25_cb *ax25; int err = 0; + memset(&fsa->fsa_digipeater, 0, sizeof(fsa->fsa_digipeater)); lock_sock(sk); ax25 = ax25_sk(sk); -- 1.7.0.4 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/3] net: ax25: fix information leak to userland 2010-10-31 17:10 [PATCH 1/3] net: ax25: fix information leak to userland Vasiliy Kulikov @ 2010-10-31 18:00 ` Ralf Baechle 2010-10-31 18:08 ` Eric Dumazet 1 sibling, 0 replies; 3+ messages in thread From: Ralf Baechle @ 2010-10-31 18:00 UTC (permalink / raw) To: Vasiliy Kulikov Cc: kernel-janitors, Joerg Reuter, David S. Miller, linux-hams, netdev, linux-kernel On Sun, Oct 31, 2010 at 08:10:22PM +0300, Vasiliy Kulikov wrote: > Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater > field of fsa struct. This structure is then copied to userland. It leads to > leaking of contents of kernel stack memory. We have to initialize them to zero. > > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Acked-by: Ralf Baechle <ralf@linux-mips.org> Ralf ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/3] net: ax25: fix information leak to userland 2010-10-31 17:10 [PATCH 1/3] net: ax25: fix information leak to userland Vasiliy Kulikov 2010-10-31 18:00 ` Ralf Baechle @ 2010-10-31 18:08 ` Eric Dumazet 1 sibling, 0 replies; 3+ messages in thread From: Eric Dumazet @ 2010-10-31 18:08 UTC (permalink / raw) To: Vasiliy Kulikov Cc: kernel-janitors, Joerg Reuter, Ralf Baechle, David S. Miller, linux-hams, netdev, linux-kernel Le dimanche 31 octobre 2010 à 20:10 +0300, Vasiliy Kulikov a écrit : > Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater > field of fsa struct. This structure is then copied to userland. It leads to > leaking of contents of kernel stack memory. We have to initialize them to zero. > > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> > --- > net/ax25/af_ax25.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c > index 26eaebf..a324d83 100644 > --- a/net/ax25/af_ax25.c > +++ b/net/ax25/af_ax25.c > @@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr, > ax25_cb *ax25; > int err = 0; > > + memset(&fsa->fsa_digipeater, 0, sizeof(fsa->fsa_digipeater)); > lock_sock(sk); > ax25 = ax25_sk(sk); > If you really want to fix this for good, please do it completely ? sa_family_t is a short ax25_address is 7 bytes. Therefore, there is a hole before sax25_ndigis. struct sockaddr_ax25 { sa_family_t sax25_family; ax25_address sax25_call; <hole> int sax25_ndigis; /* Digipeater ax25_address sets follow */ }; struct full_sockaddr_ax25 { struct sockaddr_ax25 fsa_ax25; ax25_address fsa_digipeater[AX25_MAX_DIGIS]; }; So a correct patch is the following one. Note AX25 is probably used by nobody at all, so a full memset() is not performance critical in this path. diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 26eaebf..6da5dae 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr, ax25_cb *ax25; int err = 0; + memset(fsa, 0, sizeof(*fsa)); lock_sock(sk); ax25 = ax25_sk(sk); @@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr, fsa->fsa_ax25.sax25_family = AF_AX25; fsa->fsa_ax25.sax25_call = ax25->dest_addr; - fsa->fsa_ax25.sax25_ndigis = 0; if (ax25->digipeat != NULL) { ndigi = ax25->digipeat->ndigi; ^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-10-31 18:08 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-10-31 17:10 [PATCH 1/3] net: ax25: fix information leak to userland Vasiliy Kulikov 2010-10-31 18:00 ` Ralf Baechle 2010-10-31 18:08 ` Eric Dumazet
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).