| Message ID | 1288448801-6303-1-git-send-email-segooon@gmail.com |
|---|---|
| State | Rejected, archived |
| Delegated to: | David Miller |
| Headers | show |
Le samedi 30 octobre 2010 à 18:26 +0400, Vasiliy Kulikov a écrit : > "Address" variable might be not fully initialized in sock->ops->get_name(). > The only current implementation is get_name(), it leaves some padding > fields of sockaddr_tipc uninitialized. It leads to leaking of contents > of kernel stack memory. > > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> > --- > Compile tested. > > net/core/sock.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/net/core/sock.c b/net/core/sock.c > index 3eed542..759dd81 100644 > --- a/net/core/sock.c > +++ b/net/core/sock.c > @@ -930,6 +930,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, > { > char address[128]; > > + memset(&address, 0, sizeof(address)); > if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2)) > return -ENOTCONN; > if (lv < len) ??? Please fix the real bug. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Oct 30, 2010 at 16:35 +0200, Eric Dumazet wrote: > Le samedi 30 octobre 2010 à 18:26 +0400, Vasiliy Kulikov a écrit : > > "Address" variable might be not fully initialized in sock->ops->get_name(). > > The only current implementation is get_name(), it leaves some padding > > fields of sockaddr_tipc uninitialized. It leads to leaking of contents > > of kernel stack memory. > > > > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> > > --- > > Compile tested. > > > > net/core/sock.c | 1 + > > 1 files changed, 1 insertions(+), 0 deletions(-) > > > > diff --git a/net/core/sock.c b/net/core/sock.c > > index 3eed542..759dd81 100644 > > --- a/net/core/sock.c > > +++ b/net/core/sock.c > > @@ -930,6 +930,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, > > { > > char address[128]; > > > > + memset(&address, 0, sizeof(address)); > > if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2)) > > return -ENOTCONN; > > if (lv < len) > > ??? > > Please fix the real bug. What if somebody want to create his own implementation of getname()? IMO it's much safer to introduce memset() here and relax getname()'s responsibilities. Quite many drivers "forget" to initialize outputs structures. E.g. new net_device's private field is kzalloc'ed to simplify driver's code.
diff --git a/net/core/sock.c b/net/core/sock.c index 3eed542..759dd81 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -930,6 +930,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname, { char address[128]; + memset(&address, 0, sizeof(address)); if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2)) return -ENOTCONN; if (lv < len)
"Address" variable might be not fully initialized in sock->ops->get_name(). The only current implementation is get_name(), it leaves some padding fields of sockaddr_tipc uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> --- Compile tested. net/core/sock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)