oss-sec mailing list archives
Linux kernel < 4.14.111 drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c kernel address dumps to user space
From: Fuqian Huang <huangfq.daxian () gmail com>
Date: Thu, 18 Apr 2019 21:33:42 +0800
In drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:65 and drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:77, nfp_net_debugfs_rx_q_read will dump the address of rx_rings->rxds and frag to debugfs, which allows local user to read the kernel address via debugfs. static int nfp_net_debugfs_rx_q_read(struct seq_file *file, void *data) { seq_printf(file, "RX[%02d,%02d]: cnt=%u dma=%pad host=%p H_RD=%u H_WR=%u FL_RD=%u FL_WR=%u\n", rx_ring->idx, rx_ring->fl_qcidx, rx_ring->cnt, &rx_ring->dma, rx_ring->rxds, rx_ring->rd_p, rx_ring->wr_p, fl_rd_p, fl_wr_p); ... if (frag) seq_printf(file, " frag=%p", frag); ... } In drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:148 and drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:164 and drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:167, nfp_net_debugfs_tx_q_read will dump the address of rx_rings->rxds and skb->head and frag to debugfs, which allows local user to read the kernel address via debugfs. static int nfp_net_debugfs_tx_q_read(struct seq_file *file, void *data) { ... seq_printf(file, "TX[%02d,%02d%s]: cnt=%u dma=%pad host=%p H_RD=%u H_WR=%u D_RD=%u D_WR=%u\n", tx_ring->idx, tx_ring->qcidx, tx_ring == r_vec->tx_ring ? "" : "xdp", tx_ring->cnt, &tx_ring->dma, tx_ring->txds, tx_ring->rd_p, tx_ring->wr_p, d_rd_p, d_wr_p); ... if (tx_ring == r_vec->tx_ring) { struct sk_buff *skb = READ_ONCE(tx_ring->txbufs[i].skb); if (skb) seq_printf(file, " skb->head=%p skb->data=%p", skb->head, skb->data); } else { seq_printf(file, " frag=%p", READ_ONCE(tx_ring->txbufs[i].frag)); } ... }
Current thread:
- Linux kernel < 4.14.111 drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c kernel address dumps to user space Fuqian Huang (Apr 18)