* [PATCH v2] net: tipc: fix possible infoleak in tipc_mon_rcv()
@ 2022-06-28 8:31 Hangyu Hua
2022-06-28 10:28 ` Tung Quang Nguyen
2022-06-30 3:31 ` Jakub Kicinski
0 siblings, 2 replies; 5+ messages in thread
From: Hangyu Hua @ 2022-06-28 8:31 UTC (permalink / raw)
To: jmaloy, ying.xue, davem, edumazet, kuba, pabeni, tung.q.nguyen
Cc: netdev, tipc-discussion, linux-kernel, Hangyu Hua
dom_bef is use to cache current domain record only if current domain
exists. But when current domain does not exist, dom_bef will still be used
in mon_identify_lost_members. This may lead to an information leak.
Fix this by adding a memset before using dom_bef.
Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
v2: remove redundant 'dom_bef.member_cnt = 0;'
net/tipc/monitor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
index 2f4d23238a7e..03b5d0b65169 100644
--- a/net/tipc/monitor.c
+++ b/net/tipc/monitor.c
@@ -534,7 +534,7 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
state->peer_gen = new_gen;
/* Cache current domain record for later use */
- dom_bef.member_cnt = 0;
+ memset(&dom_bef, 0, sizeof(dom_bef));
dom = peer->domain;
if (dom)
memcpy(&dom_bef, dom, dom->len);
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* RE: [PATCH v2] net: tipc: fix possible infoleak in tipc_mon_rcv()
2022-06-28 8:31 [PATCH v2] net: tipc: fix possible infoleak in tipc_mon_rcv() Hangyu Hua
@ 2022-06-28 10:28 ` Tung Quang Nguyen
2022-06-30 3:31 ` Jakub Kicinski
1 sibling, 0 replies; 5+ messages in thread
From: Tung Quang Nguyen @ 2022-06-28 10:28 UTC (permalink / raw)
To: Hangyu Hua
Cc: netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org, jmaloy@redhat.com,
ying.xue@windriver.com, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com
> -----Original Message-----
> From: Hangyu Hua <hbh25y@gmail.com>
> Sent: Tuesday, June 28, 2022 3:31 PM
> To: jmaloy@redhat.com; ying.xue@windriver.com; davem@davemloft.net; edumazet@google.com; kuba@kernel.org;
> pabeni@redhat.com; Tung Quang Nguyen <tung.q.nguyen@dektech.com.au>
> Cc: netdev@vger.kernel.org; tipc-discussion@lists.sourceforge.net; linux-kernel@vger.kernel.org; Hangyu Hua <hbh25y@gmail.com>
> Subject: [PATCH v2] net: tipc: fix possible infoleak in tipc_mon_rcv()
>
> dom_bef is use to cache current domain record only if current domain
> exists. But when current domain does not exist, dom_bef will still be used
> in mon_identify_lost_members. This may lead to an information leak.
>
> Fix this by adding a memset before using dom_bef.
>
> Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
> ---
>
> v2: remove redundant 'dom_bef.member_cnt = 0;'
>
> net/tipc/monitor.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
> index 2f4d23238a7e..03b5d0b65169 100644
> --- a/net/tipc/monitor.c
> +++ b/net/tipc/monitor.c
> @@ -534,7 +534,7 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
> state->peer_gen = new_gen;
>
> /* Cache current domain record for later use */
> - dom_bef.member_cnt = 0;
> + memset(&dom_bef, 0, sizeof(dom_bef));
> dom = peer->domain;
> if (dom)
> memcpy(&dom_bef, dom, dom->len);
> --
> 2.25.1
Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v2] net: tipc: fix possible infoleak in tipc_mon_rcv()
2022-06-28 8:31 [PATCH v2] net: tipc: fix possible infoleak in tipc_mon_rcv() Hangyu Hua
2022-06-28 10:28 ` Tung Quang Nguyen
@ 2022-06-30 3:31 ` Jakub Kicinski
2022-06-30 9:19 ` Hangyu Hua
1 sibling, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2022-06-30 3:31 UTC (permalink / raw)
To: Hangyu Hua
Cc: jmaloy, ying.xue, davem, edumazet, pabeni, tung.q.nguyen, netdev,
tipc-discussion, linux-kernel
On Tue, 28 Jun 2022 16:31:22 +0800 Hangyu Hua wrote:
> dom_bef is use to cache current domain record only if current domain
> exists. But when current domain does not exist, dom_bef will still be used
> in mon_identify_lost_members. This may lead to an information leak.
AFAICT applied_bef must be zero if peer->domain was 0, so I don't think
mon_identify_lost_members() will do anything.
> Fix this by adding a memset before using dom_bef.
>
> Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v2] net: tipc: fix possible infoleak in tipc_mon_rcv()
2022-06-30 3:31 ` Jakub Kicinski
@ 2022-06-30 9:19 ` Hangyu Hua
2022-06-30 15:27 ` Jakub Kicinski
0 siblings, 1 reply; 5+ messages in thread
From: Hangyu Hua @ 2022-06-30 9:19 UTC (permalink / raw)
To: Jakub Kicinski
Cc: jmaloy, ying.xue, davem, edumazet, pabeni, tung.q.nguyen, netdev,
tipc-discussion, linux-kernel
On 2022/6/30 11:31, Jakub Kicinski wrote:
> On Tue, 28 Jun 2022 16:31:22 +0800 Hangyu Hua wrote:
>> dom_bef is use to cache current domain record only if current domain
>> exists. But when current domain does not exist, dom_bef will still be used
>> in mon_identify_lost_members. This may lead to an information leak.
>
> AFAICT applied_bef must be zero if peer->domain was 0, so I don't think
> mon_identify_lost_members() will do anything.
>
void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
struct tipc_mon_state *state, int bearer_id)
{
...
if (!dom || (dom->len < new_dlen)) {
kfree(dom);
dom = kmalloc(new_dlen, GFP_ATOMIC); <--- [1]
peer->domain = dom;
if (!dom)
goto exit;
}
...
}
peer->domain will be NULL when [1] fails. But there will not change
peer->applied to 0. In this case, if tipc_mon_rcv is called again then
an information leak will happen.
Thanks,
Hangyu.
>> Fix this by adding a memset before using dom_bef.
>>
>> Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
>> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v2] net: tipc: fix possible infoleak in tipc_mon_rcv()
2022-06-30 9:19 ` Hangyu Hua
@ 2022-06-30 15:27 ` Jakub Kicinski
0 siblings, 0 replies; 5+ messages in thread
From: Jakub Kicinski @ 2022-06-30 15:27 UTC (permalink / raw)
To: Hangyu Hua, jmaloy, ying.xue
Cc: davem, edumazet, pabeni, tung.q.nguyen, netdev, tipc-discussion,
linux-kernel
On Thu, 30 Jun 2022 17:19:21 +0800 Hangyu Hua wrote:
> On 2022/6/30 11:31, Jakub Kicinski wrote:
> > On Tue, 28 Jun 2022 16:31:22 +0800 Hangyu Hua wrote:
> >> dom_bef is use to cache current domain record only if current domain
> >> exists. But when current domain does not exist, dom_bef will still be used
> >> in mon_identify_lost_members. This may lead to an information leak.
> >
> > AFAICT applied_bef must be zero if peer->domain was 0, so I don't think
> > mon_identify_lost_members() will do anything.
> >
>
> void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
> struct tipc_mon_state *state, int bearer_id)
> {
> ...
> if (!dom || (dom->len < new_dlen)) {
> kfree(dom);
> dom = kmalloc(new_dlen, GFP_ATOMIC); <--- [1]
> peer->domain = dom;
> if (!dom)
> goto exit;
> }
> ...
> }
>
> peer->domain will be NULL when [1] fails. But there will not change
> peer->applied to 0. In this case, if tipc_mon_rcv is called again then
> an information leak will happen.
I see, good analysis! Jon, Xue - is there a reason domain gets wiped
on memory allocation failure? I'd think we should leave the previous
pointer in place instead of freeing it first.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-06-30 15:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-28 8:31 [PATCH v2] net: tipc: fix possible infoleak in tipc_mon_rcv() Hangyu Hua
2022-06-28 10:28 ` Tung Quang Nguyen
2022-06-30 3:31 ` Jakub Kicinski
2022-06-30 9:19 ` Hangyu Hua
2022-06-30 15:27 ` Jakub Kicinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).