All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] bluetooth: bnep: fix buffer overflow
@ 2011-02-14 10:54 ` Vasiliy Kulikov
  0 siblings, 0 replies; 4+ messages in thread
From: Vasiliy Kulikov @ 2011-02-14 10:54 UTC (permalink / raw)
  To: linux-kernel
  Cc: security, Marcel Holtmann, Gustavo F. Padovan, David S. Miller,
	Tejun Heo, linux-bluetooth, netdev

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
 Compile tested.

 net/bluetooth/bnep/sock.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53..30faaf1 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 			sockfd_put(nsock);
 			return -EBADFD;
 		}
+		ca.device[sizeof(ca.device)-1] = 0;
 
 		err = bnep_add_connection(&ca, nsock);
 		if (!err) {
-- 
1.7.0.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH] bluetooth: bnep: fix buffer overflow
@ 2011-02-14 10:54 ` Vasiliy Kulikov
  0 siblings, 0 replies; 4+ messages in thread
From: Vasiliy Kulikov @ 2011-02-14 10:54 UTC (permalink / raw)
  To: linux-kernel-u79uwXL29TY76Z2rM5mHXA
  Cc: security-DgEjT+Ai2ygdnm+yROfE0A, Marcel Holtmann,
	Gustavo F. Padovan, David S. Miller, Tejun Heo,
	linux-bluetooth-u79uwXL29TY76Z2rM5mHXA,
	netdev-u79uwXL29TY76Z2rM5mHXA

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov <segoon-cxoSlKxDwOJWk0Htik3J/w@public.gmane.org>
---
 Compile tested.

 net/bluetooth/bnep/sock.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53..30faaf1 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 			sockfd_put(nsock);
 			return -EBADFD;
 		}
+		ca.device[sizeof(ca.device)-1] = 0;
 
 		err = bnep_add_connection(&ca, nsock);
 		if (!err) {
-- 
1.7.0.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH] bluetooth: bnep: fix buffer overflow
@ 2011-02-14 10:54 ` Vasiliy Kulikov
  0 siblings, 0 replies; 4+ messages in thread
From: Vasiliy Kulikov @ 2011-02-14 10:54 UTC (permalink / raw)
  To: linux-kernel
  Cc: security, Marcel Holtmann, Gustavo F. Padovan, David S. Miller,
	Tejun Heo, linux-bluetooth, netdev

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
 Compile tested.

 net/bluetooth/bnep/sock.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53..30faaf1 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 			sockfd_put(nsock);
 			return -EBADFD;
 		}
+		ca.device[sizeof(ca.device)-1] = 0;
 
 		err = bnep_add_connection(&ca, nsock);
 		if (!err) {
-- 
1.7.0.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] bluetooth: bnep: fix buffer overflow
  2011-02-14 10:54 ` Vasiliy Kulikov
  (?)
  (?)
@ 2011-02-14 14:35 ` Gustavo F. Padovan
  -1 siblings, 0 replies; 4+ messages in thread
From: Gustavo F. Padovan @ 2011-02-14 14:35 UTC (permalink / raw)
  To: Vasiliy Kulikov
  Cc: linux-kernel, security, Marcel Holtmann, David S. Miller,
	Tejun Heo, linux-bluetooth, netdev

Hi Vasiliy,

* Vasiliy Kulikov <segoon@openwall.com> [2011-02-14 13:54:31 +0300]:

> Struct ca is copied from userspace.  It is not checked whether the "device"
> field is NULL terminated.  This potentially leads to BUG() inside of
> alloc_netdev_mqs() and/or information leak by creating a device with a name
> made of contents of kernel stack.
> 
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> ---
>  Compile tested.
> 
>  net/bluetooth/bnep/sock.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)

Applied, thanks.

-- 
Gustavo F. Padovan
http://profusion.mobi

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-02-14 14:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-02-14 10:54 [PATCH] bluetooth: bnep: fix buffer overflow Vasiliy Kulikov
2011-02-14 10:54 ` Vasiliy Kulikov
2011-02-14 10:54 ` Vasiliy Kulikov
2011-02-14 14:35 ` Gustavo F. Padovan

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.