From: Changli Gao <xiaosuo@gmail.com>
To: Dan Carpenter <error27@gmail.com>
Cc: Karsten Keil <isdn@linux-pingi.de>,
netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] isdn: fix information leak
Date: Thu, 5 Aug 2010 21:59:52 +0800 [thread overview]
Message-ID: <AANLkTi=Pi6dyQ+NE-DW66hQKVLDD992DokqExaOb5o-0@mail.gmail.com> (raw)
In-Reply-To: <20100805134910.GJ9031@bicker>
On Thu, Aug 5, 2010 at 9:55 PM, Dan Carpenter <error27@gmail.com> wrote:
> First of all, I'm happy that you're reviewing these patches. A lot of
> learner, often untested, patches go through kernel-janitors and the
> entire purpose of the list is to check each other's work.
>
> Here is what I meant by an information leak. The original code did:
> spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
> ...
> strcpy(spid, rcvmsg->msg_data.byte_array);
> ...
> if (copy_to_user(data->dataptr, spid, SCIOC_SPIDSIZE)) {
>
> When you allocate memory with kmalloc() it doesn't clear that memory. It
> could have anything in there including passwords etc. If there is a
> short string in "rcvmsg->msg_data.byte_array" like "123" then the
> strcpy() puts that in the first 4 bytes of "spid", but the rest of the
> buffer is still full of passwords.
>
> The copy_to_user() sends it to the user, and normally the user only reads
> as far as the terminator, but if they read past that then they would see
> all the passwords etc that were saved there.
>
> This function is in the ioctl() probably only root has open() permission
> on the device so it's not a big deal because root can already find your
> password. But I didn't dig that far. It's just simpler to zero out the
> memory instead of worrying about if it really is exploitable or not.
>
> Also it's quite possible that the strcpy can't overflow. But it's weird
> for the code to leave space for the terminator and then not use it. In
> the end, I decided to do the cautious thing and be done with it.
>
Thanks, Dan. I got it.
--
Regards,
Changli Gao(xiaosuo@gmail.com)
next prev parent reply other threads:[~2010-08-05 14:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-05 9:38 [patch] isdn: fix information leak Dan Carpenter
2010-08-05 10:08 ` Changli Gao
2010-08-05 10:19 ` Dan Carpenter
2010-08-05 11:02 ` Changli Gao
2010-08-05 11:37 ` Dan Carpenter
2010-08-05 13:18 ` Changli Gao
2010-08-05 13:24 ` Changli Gao
2010-08-05 13:55 ` Dan Carpenter
2010-08-05 13:59 ` Changli Gao [this message]
2010-08-05 20:21 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='AANLkTi=Pi6dyQ+NE-DW66hQKVLDD992DokqExaOb5o-0@mail.gmail.com' \
--to=xiaosuo@gmail.com \
--cc=error27@gmail.com \
--cc=isdn@linux-pingi.de \
--cc=kernel-janitors@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).