oss-sec mailing list archives

Re: Re: Linux kernel: more net info leak fixes for v3.9

From: P J P <ppandit () redhat com>
Date: Mon, 22 Apr 2013 19:27:18 +0530 (IST)

+-- On Mon, 22 Apr 2013, Mathias Krause wrote --+
| partly... Have a look at verify_iovec()/verify_compat_iovec(). They're
| updating the msg_name and msg_iov pointers.

  I did, both seem to use user supplied `msg_namelen' value to copy contents 
from user `msg_name' to `sockaddr_storage addr' variable. And when 
`msg_namelen' is zero(0) msg_name is set to NULL. Later same `msg_namelen' 
bytes are copied to user area, right?

Ah..right, both are called with `mode = VERIFY_WRITE' and both initialise 
`addr' variable when mode = VERIFY_READ.

If it's copying user data to `addr', why selectively do it when mode = 
VERIFY_READ?

Also, wouldn't - memset(addr, 0, sizeof(addr)) - fix this leak for all 
definitions of <proto>_recvmsg() routine??

Thank you.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB  C939 D048 7860 3655 602B

Current thread:

Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 14)
- Re: Linux kernel: more net info leak fixes for v3.9 cve-assign (Apr 21)
  - Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 22)
    - Re: Re: Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 22)
    - Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 22)
    - Re: Re: Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 22)
    - Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 23)
  - Re: Re: Linux kernel: more net info leak fixes for v3.9 Greg KH (Apr 22)
    - Re: Re: Linux kernel: more net info leak fixes for v3.9 cve-assign (Apr 22)
    - Re: Re: Linux kernel: more net info leak fixes for v3.9 Greg KH (Apr 22)
    - Re: Re: Linux kernel: more net info leak fixes for v3.9 Petr Matousek (Apr 23)
  - Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 23)
    - Re: Re: Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 23)
    - Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 23)