* [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname.
@ 2009-08-26 11:12 Clement LECIGNE
2009-08-26 12:01 ` Tetsuo Handa
2009-08-26 12:35 ` Eric Dumazet
0 siblings, 2 replies; 5+ messages in thread
From: Clement LECIGNE @ 2009-08-26 11:12 UTC (permalink / raw)
To: linux-kernel; +Cc: netdev
Hi,
In function atalk_getname(), sockaddr_at is returned in userland without
zero'ing the "char sat_zero[8]" field. This bug allows user to display 8
bytes leaked from the kernel stack.
Here is a patch that zero the whole sockaddr_at structure before
processing it. It should fix this bug.
Signed-off-by: Clément Lecigne <clement.lecigne@netasq.com>
--- linux/net/appletalk/ddp.c 2009-08-26 11:35:59.000000000 +0200
+++ linux/net/appletalk/ddp.c 2009-08-26 11:36:30.000000000 +0200
@@ -1241,6 +1241,8 @@ static int atalk_getname(struct socket *
if (atalk_autobind(sk) < 0)
return -ENOBUFS;
+ memset(&sat, 0, sizeof(struct sockaddr_at));
+
*uaddr_len = sizeof(struct sockaddr_at);
if (peer) {
--
Clément LECIGNE,
-Only one remote hole in the default install, in more than 10 years!<br>
+Only two remote holes in the default install, in more than 10 years!<br>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname. 2009-08-26 11:12 [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname Clement LECIGNE @ 2009-08-26 12:01 ` Tetsuo Handa 2009-08-26 12:38 ` Eric Dumazet 2009-08-26 12:35 ` Eric Dumazet 1 sibling, 1 reply; 5+ messages in thread From: Tetsuo Handa @ 2009-08-26 12:01 UTC (permalink / raw) To: clement.lecigne; +Cc: linux-kernel, netdev Clement LECIGNE wrote: > Here is a patch that zero the whole sockaddr_at structure before > processing it. It should fix this bug. Same kind of bug at http://lkml.org/lkml/2006/7/25/51 . I wonder why not zero'ing sockaddr at the caller rather than zero'ing at individual ->getname(). Doing so will save some lines. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname. 2009-08-26 12:01 ` Tetsuo Handa @ 2009-08-26 12:38 ` Eric Dumazet 0 siblings, 0 replies; 5+ messages in thread From: Eric Dumazet @ 2009-08-26 12:38 UTC (permalink / raw) To: Tetsuo Handa; +Cc: clement.lecigne, linux-kernel, netdev Tetsuo Handa a écrit : > Clement LECIGNE wrote: >> Here is a patch that zero the whole sockaddr_at structure before >> processing it. It should fix this bug. > > Same kind of bug at http://lkml.org/lkml/2006/7/25/51 . > I wonder why not zero'ing sockaddr at the caller rather than > zero'ing at individual ->getname(). Doing so will save some lines. > -- It would not help zeroing buffer before calling ->getname(), since getname() will overwrite it with a memcpy(buffer, &somestruct, sizeof(somestruct)); ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname. 2009-08-26 11:12 [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname Clement LECIGNE 2009-08-26 12:01 ` Tetsuo Handa @ 2009-08-26 12:35 ` Eric Dumazet 2009-08-26 12:39 ` Clement LECIGNE 1 sibling, 1 reply; 5+ messages in thread From: Eric Dumazet @ 2009-08-26 12:35 UTC (permalink / raw) To: Clement LECIGNE; +Cc: linux-kernel, netdev Clement LECIGNE a écrit : > Hi, > > In function atalk_getname(), sockaddr_at is returned in userland without > zero'ing the "char sat_zero[8]" field. This bug allows user to display 8 > bytes leaked from the kernel stack. > > Here is a patch that zero the whole sockaddr_at structure before > processing it. It should fix this bug. > > Signed-off-by: Clément Lecigne <clement.lecigne@netasq.com> > --- linux/net/appletalk/ddp.c 2009-08-26 11:35:59.000000000 +0200 > +++ linux/net/appletalk/ddp.c 2009-08-26 11:36:30.000000000 +0200 > @@ -1241,6 +1241,8 @@ static int atalk_getname(struct socket * > if (atalk_autobind(sk) < 0) > return -ENOBUFS; > > + memset(&sat, 0, sizeof(struct sockaddr_at)); > + > *uaddr_len = sizeof(struct sockaddr_at); > > if (peer) { > Hi Clement Well, I submitted same patch some weeks ago and I just checked that it was already in Linus tree. author Eric Dumazet <eric.dumazet@gmail.com> Thu, 6 Aug 2009 02:27:43 +0000 (02:27 +0000) committer David S. Miller <davem@davemloft.net> Thu, 6 Aug 2009 20:08:45 +0000 (13:08 -0700) commit 3d392475c873c10c10d6d96b94d092a34ebd4791 appletalk: fix atalk_getname() leak atalk_getname() can leak 8 bytes of kernel memory to user Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Dont worry, it'll be included in upcoming 2.6.31 kernel, and backported to previous ones as well. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname. 2009-08-26 12:35 ` Eric Dumazet @ 2009-08-26 12:39 ` Clement LECIGNE 0 siblings, 0 replies; 5+ messages in thread From: Clement LECIGNE @ 2009-08-26 12:39 UTC (permalink / raw) To: Eric Dumazet; +Cc: linux-kernel, netdev Wed, Aug 26, 2009 at 02:35:57PM +0200, Eric Dumazet wrote: > Clement LECIGNE a écrit : > > Hi, > > > > In function atalk_getname(), sockaddr_at is returned in userland without > > zero'ing the "char sat_zero[8]" field. This bug allows user to display 8 > > bytes leaked from the kernel stack. > > > > Here is a patch that zero the whole sockaddr_at structure before > > processing it. It should fix this bug. > > > > Signed-off-by: Clément Lecigne <clement.lecigne@netasq.com> > > --- linux/net/appletalk/ddp.c 2009-08-26 11:35:59.000000000 +0200 > > +++ linux/net/appletalk/ddp.c 2009-08-26 11:36:30.000000000 +0200 > > @@ -1241,6 +1241,8 @@ static int atalk_getname(struct socket * > > if (atalk_autobind(sk) < 0) > > return -ENOBUFS; > > > > + memset(&sat, 0, sizeof(struct sockaddr_at)); > > + > > *uaddr_len = sizeof(struct sockaddr_at); > > > > if (peer) { > > > Hi Clement > > Well, I submitted same patch some weeks ago and I just checked that > it was already in Linus tree. > > author Eric Dumazet <eric.dumazet@gmail.com> > Thu, 6 Aug 2009 02:27:43 +0000 (02:27 +0000) > committer David S. Miller <davem@davemloft.net> > Thu, 6 Aug 2009 20:08:45 +0000 (13:08 -0700) > commit 3d392475c873c10c10d6d96b94d092a34ebd4791 > > appletalk: fix atalk_getname() leak > > atalk_getname() can leak 8 bytes of kernel memory to user > > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > > > Dont worry, it'll be included in upcoming 2.6.31 kernel, > and backported to previous ones as well. Hi Eric, Oups, shame on me, I have not checked Linus tree before submitting the patch. Sorry, -- Clément LECIGNE, -Only one remote hole in the default install, in more than 10 years!<br> +Only two remote holes in the default install, in more than 10 years!<br> ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-08-26 12:40 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-08-26 11:12 [PATCH] 8 bytes kernel memory disclosure in AppleTalk getsockname Clement LECIGNE 2009-08-26 12:01 ` Tetsuo Handa 2009-08-26 12:38 ` Eric Dumazet 2009-08-26 12:35 ` Eric Dumazet 2009-08-26 12:39 ` Clement LECIGNE
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).