From: Dave Chinner <david@fromorbit.com>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: aelder@sgi.com, xfs-masters@oss.sgi.com, xfs@oss.sgi.com,
linux-kernel@vger.kernel.org, stable@kernel.org,
security@kernel.org
Subject: Re: [PATCH] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
Date: Mon, 14 Feb 2011 22:46:29 +1100 [thread overview]
Message-ID: <20110214114629.GA13052@dastard> (raw)
In-Reply-To: <1297347904.13370.9.camel@dan>
On Thu, Feb 10, 2011 at 09:25:04AM -0500, Dan Rosenberg wrote:
> The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
> xfs_fs_geometry() with a version number of 3. This code path does not
> fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
> the leaking of four bytes of uninitialized stack data to potentially
> unprivileged callers. Since all other members are filled in all code
> paths and there are no padding bytes in this structure, it's safe to
> avoid an expensive memset() in favor of just clearing this one field.
If this really is a security problem, then it should use a memset.
This is not a performance critical path and there are differences in
the padding of the structure between 32 bit and 64 bit ioctl
variants (it has a compat ioctl handler) and that can only be
correctly handled by memset().
Also, using a memset means we won't have the problem of introducing
new uninitialised fields or padding if we ever rev the structure
again...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
WARNING: multiple messages have this Message-ID (diff)
From: Dave Chinner <david@fromorbit.com>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: security@kernel.org, linux-kernel@vger.kernel.org,
xfs@oss.sgi.com, xfs-masters@oss.sgi.com, aelder@sgi.com,
stable@kernel.org
Subject: Re: [PATCH] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
Date: Mon, 14 Feb 2011 22:46:29 +1100 [thread overview]
Message-ID: <20110214114629.GA13052@dastard> (raw)
In-Reply-To: <1297347904.13370.9.camel@dan>
On Thu, Feb 10, 2011 at 09:25:04AM -0500, Dan Rosenberg wrote:
> The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
> xfs_fs_geometry() with a version number of 3. This code path does not
> fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
> the leaking of four bytes of uninitialized stack data to potentially
> unprivileged callers. Since all other members are filled in all code
> paths and there are no padding bytes in this structure, it's safe to
> avoid an expensive memset() in favor of just clearing this one field.
If this really is a security problem, then it should use a memset.
This is not a performance critical path and there are differences in
the padding of the structure between 32 bit and 64 bit ioctl
variants (it has a compat ioctl handler) and that can only be
correctly handled by memset().
Also, using a memset means we won't have the problem of introducing
new uninitialised fields or padding if we ever rev the structure
again...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2011-02-14 11:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-10 14:25 [PATCH] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1 Dan Rosenberg
2011-02-10 14:25 ` Dan Rosenberg
2011-02-14 8:41 ` [Security] " Eugene Teo
2011-02-14 8:41 ` Eugene Teo
2011-02-14 11:46 ` Dave Chinner [this message]
2011-02-14 11:46 ` Dave Chinner
2011-02-14 13:45 ` [PATCH v2] " Dan Rosenberg
2011-02-14 13:45 ` Dan Rosenberg
2011-02-14 23:39 ` Eugene Teo
2011-02-14 23:39 ` Eugene Teo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110214114629.GA13052@dastard \
--to=david@fromorbit.com \
--cc=aelder@sgi.com \
--cc=drosenberg@vsecurity.com \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=stable@kernel.org \
--cc=xfs-masters@oss.sgi.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.