oss-sec mailing list archives
Linux kernel < 4.14.111 drivers/scsi/cxgbi/cxgb4i/cxgb4i.c kernel address dumps to user space
From: Fuqian Huang <huangfq.daxian () gmail com>
Date: Thu, 18 Apr 2019 21:35:40 +0800
In drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:299, send_act_open_req will dump the address of csk to dmesg which allows local user to read kernel address via dmesg. static void send_act_open_req(struct cxgbi_sock *csk, struct sk_buff *skb, struct l2t_entry *e) { ... pr_info_ipaddr("t%d csk 0x%p,%u,0x%lx,%u, rss_qid %u.\n", (&csk->saddr), (&csk->daddr), CHELSIO_CHIP_VERSION(lldi->adapter_type), csk, csk->state, csk->flags, csk->atid, csk->rss_qid); ... } In drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:1792, cxgb4i_ofld_init will dump the address of cdev to dmesg which allows local user to read kernel address via dmesg. static int cxgb4i_ofld_init(struct cxgbi_device *cdev) { ... pr_info("cdev 0x%p, offload up, added.\n", cdev); ... } In drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2047, t4_uld_add will dump the address of cdev to dmesg which allows local user to read kernel address via dmesg. static void *t4_uld_add(const struct cxgb4_lld_info *lldi) { ... pr_info("cdev 0x%p,%s, pfvf %u.\n", cdev, lldi->ports[0]->name, cdev->pfvf); ... } In drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2129 and drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2132 and drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2136 and drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2139 and drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2143, t4_uld_state_change will dump the address of cdev to dmesg which allows local user to read kernel address via dmesg. static int t4_uld_state_change(void *handle, enum cxgb4_state state) { struct cxgbi_device *cdev = handle; switch (state) { case CXGB4_STATE_UP: pr_info("cdev 0x%p, UP.\n", cdev); break; case CXGB4_STATE_START_RECOVERY: pr_info("cdev 0x%p, RECOVERY.\n", cdev); /* close all connections */ break; case CXGB4_STATE_DOWN: pr_info("cdev 0x%p, DOWN.\n", cdev); break; case CXGB4_STATE_DETACH: pr_info("cdev 0x%p, DETACH.\n", cdev); cxgbi_device_unregister(cdev); break; default: pr_info("cdev 0x%p, unknown state %d.\n", cdev, state); break; } return 0; }
Current thread:
- Linux kernel < 4.14.111 drivers/scsi/cxgbi/cxgb4i/cxgb4i.c kernel address dumps to user space Fuqian Huang (Apr 18)