oss-sec mailing list archives
Linux kernel < 4.14.111 drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c kernel address dumps to user space
From: Fuqian Huang <huangfq.daxian () gmail com>
Date: Thu, 18 Apr 2019 21:33:19 +0800
In drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:320 ppm_destory will dump the address of ppm into dmesg, which allows local user to read the kernel address via dmesg. static void ppm_destroy(struct kref *kref) { ... pr_info("ippm: kref 0, destroy %s ppm 0x%p.\n", ppm->ndev->name, ppm); ... } In drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:396 and drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:458 and drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:468, cxgbi_ppm_init will dump the address of ppm into dmesg, which allows local user to read the kernel address via dmesg. int cxgbi_ppm_init(void **ppm_pp, struct net_device *ndev, struct pci_dev *pdev, void *lldev, struct cxgbi_tag_format *tformat, unsigned int ppmax, unsigned int llimit, unsigned int start, unsigned int reserve_factor) { ... if (ppm) { pr_info("ippm: %s, ppm 0x%p,0x%p already initialized, %u/%u.\n", ndev->name, ppm_pp, ppm, ppm->ppmax, ppmax); kref_get(&ppm->refcnt); return 1; } ... if (*ppm_pp) { ... pr_info("ippm: %s, ppm 0x%p,0x%p already initialized, %u/%u.\n", ndev->name, ppm_pp, *ppm_pp, ppm->ppmax, ppmax); kref_get(&ppm->refcnt); return 1; } ... pr_info("ippm %s: ppm 0x%p, 0x%p, base %u/%u, pg %lu,%u, rsvd %u,%u.\n", ndev->name, ppm_pp, ppm, ppm->base_idx, ppm->ppmax, PAGE_SIZE, ppm->tformat.pgsz_idx_dflt, ppm->pool_rsvd, ppm->pool_index_max); ... }
Current thread:
- Linux kernel < 4.14.111 drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c kernel address dumps to user space Fuqian Huang (Apr 18)