oss-sec mailing list archives
Re: Re: Linux kernel: more net info leak fixes for v3.9
From: P J P <ppandit () redhat com>
Date: Tue, 23 Apr 2013 14:23:16 +0530 (IST)
Hello Mathias,
+-- On Mon, 22 Apr 2013, Mathias Krause wrote --+
| No. It is capped in move_addr_to_user() to the actual size -- if set by the
| protocol -- or sizeof(struct sockaddr_storage) -- whichever is smaller.
Yep, it seems to take the protocol value from ulen parameter, which is
pointing to users - msg->msg_namelen - field. And if ulen is greater than
kernel address length, it is set to klen. Either way, does not seem to leak
kernel memory, for it's capped at len = klen OR sizeof(addr).
===
int __user *uaddr_len;
uaddr_len = COMPAT_NAMELEN(msg);
...
err = get_user(len, ulen);
...
if (len > klen)
len = klen;
===
Leak seems to happen only when addr is not initialised: mode = VERIFY_WRITE.
| Yes, but see this discussion: http://thread.gmane.org/gmane.linux.kernel/1472604
Aha...EXCELLENT!! I've been wanting to ask this very question that why
aren't variables initialised in the kernel. This explains it!
It also explains whey `addr' is selectively initialised for VERIFY_READ and
not for VERIFY_WRITE. Interesting!
Thanks so much! :)
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB C939 D048 7860 3655 602B
Current thread:
- Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 14)
- Re: Linux kernel: more net info leak fixes for v3.9 cve-assign (Apr 21)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 23)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 22)
- Re: Linux kernel: more net info leak fixes for v3.9 cve-assign (Apr 21)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 cve-assign (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Greg KH (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Petr Matousek (Apr 23)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 23)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 23)