oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Linux kernel < 4.14.111 drivers/scsi/cxgbi/cxgb3i/cxgb3i.c kernel address dumps to user space

From: Fuqian Huang <huangfq.daxian () gmail com>
Date: Thu, 18 Apr 2019 21:34:30 +0800
In drivers/scsi/cxgbi/cxgb3i/cxgb3i.c:576,
do_act_open_rpl will dump the address of csk to dmesg
which allows local user to read kernel address via dmesg.

static int do_act_open_rpl(struct t3cdev *tdev, struct sk_buff *skb, void *ctx)
{
    ...
    pr_info("csk 0x%p,%u,0x%lx,%u, status %u, %pI4:%u-%pI4:%u.\n",
        csk, csk->state, csk->flags, csk->atid, rpl->status,
        &csk->saddr.sin_addr.s_addr, ntohs(csk->saddr.sin_port),
        &csk->daddr.sin_addr.s_addr, ntohs(csk->daddr.sin_port));
    ...
}

In drivers/scsi/cxgbi/cxgb3i/cxgb3i.c:1064,
cxgb3i_ofld_init will dump the address of cdev to dmesg
which allows local user to read kernel address via dmesg.

static int cxgb3i_ofld_init(struct cxgbi_device *cdev)
{
    ...
    pr_info("cdev 0x%p, offload up, added.\n", cdev);
    ...
}

In drivers/scsi/cxgbi/cxgb3i/cxgb3i.c:1343,
cxgb3i_dev_open will dump the address of cdev to dmesg
which allows local user to read kernel address via dmesg.

static void cxgb3i_dev_open(struct t3cdev *t3dev)
{
    ...
    pr_info("cdev 0x%p, f 0x%x, t3dev 0x%p open, err %d.\n",
        cdev, cdev ? cdev->flags : 0, t3dev, err);
    return;
    ...
}
Previous By Date Next
Previous By Thread Next

Current thread: