oss-sec mailing list archives
Re: CVE request: kernel stack infoleaks
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Tue, 2 Nov 2010 15:08:46 -0400
And since I've already gotten flack for this comment, I'll add for the sake of clarity: the second item is not a security issue if CAP_NET_RAW is synonymous with root access in your privilege model, as is the case on most systems. -Dan On Tue, Nov 2, 2010 at 1:11 PM, Dan Rosenberg <dan.j.rosenberg () gmail com> wrote:
Note that AF_PACKET requires CAP_NET_RAW to open a socket, so the second issue isn't reachable by unprivileged users and shouldn't be considered a security issue. -Dan On Tue, Nov 2, 2010 at 12:07 PM, Jon Oberheide <jon () oberheide org> wrote:Vasiliy Kulikov discovered three kernel stack infoleaks in various packet families of the net subsystem: =========================================================== net/ax25 Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater field of fsa struct. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. http://marc.info/?l=linux-netdev&m=128854507120898&w=2 =========================================================== net/packet packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). http://marc.info/?l=linux-netdev&m=128854507220908&w=2 =========================================================== net/tipc Structure sockaddr_tipc is copied to userland with padding bytes after "id" field in union field "name" unitialized. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. http://marc.info/?l=linux-netdev&m=128854507420917&w=2 =========================================================== Regards, Jon Oberheide -- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
Current thread:
- CVE request: kernel stack infoleaks Jon Oberheide (Nov 02)
- Re: CVE request: kernel stack infoleaks Dan Rosenberg (Nov 02)
- Re: CVE request: kernel stack infoleaks Dan Rosenberg (Nov 02)
- Re: CVE request: kernel stack infoleaks Steven M. Christey (Nov 02)
- Re: CVE request: kernel stack infoleaks Dan Rosenberg (Nov 02)
- Re: CVE request: kernel stack infoleaks Josh Bressers (Nov 04)
- Re: CVE request: kernel stack infoleaks Dan Rosenberg (Nov 02)