* [PATCH] bluetooth: bnep: fix buffer overflow
@ 2011-02-14 10:54 ` Vasiliy Kulikov
0 siblings, 0 replies; 4+ messages in thread
From: Vasiliy Kulikov @ 2011-02-14 10:54 UTC (permalink / raw)
To: linux-kernel
Cc: security, Marcel Holtmann, Gustavo F. Padovan, David S. Miller,
Tejun Heo, linux-bluetooth, netdev
Struct ca is copied from userspace. It is not checked whether the "device"
field is NULL terminated. This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
Compile tested.
net/bluetooth/bnep/sock.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53..30faaf1 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
sockfd_put(nsock);
return -EBADFD;
}
+ ca.device[sizeof(ca.device)-1] = 0;
err = bnep_add_connection(&ca, nsock);
if (!err) {
--
1.7.0.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] bluetooth: bnep: fix buffer overflow
@ 2011-02-14 10:54 ` Vasiliy Kulikov
0 siblings, 0 replies; 4+ messages in thread
From: Vasiliy Kulikov @ 2011-02-14 10:54 UTC (permalink / raw)
To: linux-kernel-u79uwXL29TY76Z2rM5mHXA
Cc: security-DgEjT+Ai2ygdnm+yROfE0A, Marcel Holtmann,
Gustavo F. Padovan, David S. Miller, Tejun Heo,
linux-bluetooth-u79uwXL29TY76Z2rM5mHXA,
netdev-u79uwXL29TY76Z2rM5mHXA
Struct ca is copied from userspace. It is not checked whether the "device"
field is NULL terminated. This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.
Signed-off-by: Vasiliy Kulikov <segoon-cxoSlKxDwOJWk0Htik3J/w@public.gmane.org>
---
Compile tested.
net/bluetooth/bnep/sock.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53..30faaf1 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
sockfd_put(nsock);
return -EBADFD;
}
+ ca.device[sizeof(ca.device)-1] = 0;
err = bnep_add_connection(&ca, nsock);
if (!err) {
--
1.7.0.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] bluetooth: bnep: fix buffer overflow
@ 2011-02-14 10:54 ` Vasiliy Kulikov
0 siblings, 0 replies; 4+ messages in thread
From: Vasiliy Kulikov @ 2011-02-14 10:54 UTC (permalink / raw)
To: linux-kernel
Cc: security, Marcel Holtmann, Gustavo F. Padovan, David S. Miller,
Tejun Heo, linux-bluetooth, netdev
Struct ca is copied from userspace. It is not checked whether the "device"
field is NULL terminated. This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
Compile tested.
net/bluetooth/bnep/sock.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53..30faaf1 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
sockfd_put(nsock);
return -EBADFD;
}
+ ca.device[sizeof(ca.device)-1] = 0;
err = bnep_add_connection(&ca, nsock);
if (!err) {
--
1.7.0.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] bluetooth: bnep: fix buffer overflow
2011-02-14 10:54 ` Vasiliy Kulikov
(?)
(?)
@ 2011-02-14 14:35 ` Gustavo F. Padovan
-1 siblings, 0 replies; 4+ messages in thread
From: Gustavo F. Padovan @ 2011-02-14 14:35 UTC (permalink / raw)
To: Vasiliy Kulikov
Cc: linux-kernel, security, Marcel Holtmann, David S. Miller,
Tejun Heo, linux-bluetooth, netdev
Hi Vasiliy,
* Vasiliy Kulikov <segoon@openwall.com> [2011-02-14 13:54:31 +0300]:
> Struct ca is copied from userspace. It is not checked whether the "device"
> field is NULL terminated. This potentially leads to BUG() inside of
> alloc_netdev_mqs() and/or information leak by creating a device with a name
> made of contents of kernel stack.
>
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> ---
> Compile tested.
>
> net/bluetooth/bnep/sock.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
Applied, thanks.
--
Gustavo F. Padovan
http://profusion.mobi
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-02-14 14:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-02-14 10:54 [PATCH] bluetooth: bnep: fix buffer overflow Vasiliy Kulikov
2011-02-14 10:54 ` Vasiliy Kulikov
2011-02-14 10:54 ` Vasiliy Kulikov
2011-02-14 14:35 ` Gustavo F. Padovan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.