Re: CVE request: kernel stack infoleaks

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

Note that AF_PACKET requires CAP_NET_RAW to open a socket, so the
second issue isn't reachable by unprivileged users and shouldn't be
considered a security issue.

-Dan

On Tue, Nov 2, 2010 at 12:07 PM, Jon Oberheide <jon () oberheide org> wrote:
> Vasiliy Kulikov discovered three kernel stack infoleaks in various
> packet families of the net subsystem:
>
> ===========================================================
>
> net/ax25
>
> Sometimes ax25_getname() doesn't initialize all members of
> fsa_digipeater field of fsa struct.  This structure is then copied to
> userland.  It leads to leaking of contents of kernel stack memory.  We
> have to initialize them to zero.
>
> http://marc.info/?l=linux-netdev&m=128854507120898&w=2
>
> ===========================================================
>
> net/packet
>
> packet_getname_spkt() doesn't initialize all members of sa_data field of
> sockaddr struct if strlen(dev->name) < 13.  This structure is then
> copied to userland.  It leads to leaking of contents of kernel stack
> memory.  We have to fully fill sa_data with strncpy() instead of
> strlcpy().
>
> http://marc.info/?l=linux-netdev&m=128854507220908&w=2
>
> ===========================================================
>
> net/tipc
>
> Structure sockaddr_tipc is copied to userland with padding bytes after
> "id" field in union field "name" unitialized.  It leads to leaking of
> contents of kernel stack memory.  We have to initialize them to zero.
>
> http://marc.info/?l=linux-netdev&m=128854507420917&w=2
>
> ===========================================================
>
> Regards,
> Jon Oberheide
>
> --
> Jon Oberheide <jon () oberheide org>
> GnuPG Key: 1024D/F47C17FE
> Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE