* [PATCH net 0/4] xfrm_user info leaks
@ 2017-08-26 15:08 Mathias Krause
2017-08-26 15:08 ` [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload() Mathias Krause
` (5 more replies)
0 siblings, 6 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:08 UTC (permalink / raw)
To: Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev, Mathias Krause
Hi David, Steffen,
the following series fixes a few info leaks due to missing padding byte
initialization in the xfrm_user netlink interface.
Please apply!
Mathias Krause (4):
xfrm_user: fix info leak in copy_user_offload()
xfrm_user: fix info leak in xfrm_notify_sa()
xfrm_user: fix info leak in build_expire()
xfrm_user: fix info leak in build_aevent()
net/xfrm/xfrm_user.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--
1.7.10.4
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload()
2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
@ 2017-08-26 15:08 ` Mathias Krause
2017-08-26 15:08 ` [PATCH net 2/4] xfrm_user: fix info leak in xfrm_notify_sa() Mathias Krause
` (4 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:08 UTC (permalink / raw)
To: Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev, Mathias Krause
The memory reserved to dump the xfrm offload state includes padding
bytes of struct xfrm_user_offload added by the compiler for alignment.
Add an explicit memset(0) before filling the buffer to avoid the heap
info leak.
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
net/xfrm/xfrm_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 2be4c6af008a..3259555ae7d7 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -796,7 +796,7 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
return -EMSGSIZE;
xuo = nla_data(attr);
-
+ memset(xuo, 0, sizeof(*xuo));
xuo->ifindex = xso->dev->ifindex;
xuo->flags = xso->flags;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH net 2/4] xfrm_user: fix info leak in xfrm_notify_sa()
2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
2017-08-26 15:08 ` [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload() Mathias Krause
@ 2017-08-26 15:08 ` Mathias Krause
2017-08-26 15:08 ` [PATCH net 3/4] xfrm_user: fix info leak in build_expire() Mathias Krause
` (3 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:08 UTC (permalink / raw)
To: Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev, Mathias Krause
The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the whole struct before filling
it.
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 3259555ae7d7..c33516ef52f2 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2715,6 +2715,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
struct nlattr *attr;
id = nlmsg_data(nlh);
+ memset(id, 0, sizeof(*id));
memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr));
id->spi = x->id.spi;
id->family = x->props.family;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH net 3/4] xfrm_user: fix info leak in build_expire()
2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
2017-08-26 15:08 ` [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload() Mathias Krause
2017-08-26 15:08 ` [PATCH net 2/4] xfrm_user: fix info leak in xfrm_notify_sa() Mathias Krause
@ 2017-08-26 15:08 ` Mathias Krause
2017-08-26 15:09 ` [PATCH net 4/4] xfrm_user: fix info leak in build_aevent() Mathias Krause
` (2 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:08 UTC (permalink / raw)
To: Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev, Mathias Krause
The memory reserved to dump the expired xfrm state includes padding
bytes in struct xfrm_user_expire added by the compiler for alignment. To
prevent the heap info leak, memset(0) the remainder of the struct.
Initializing the whole structure isn't needed as copy_to_user_state()
already takes care of clearing the padding bytes within the 'state'
member.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
net/xfrm/xfrm_user.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c33516ef52f2..2cbdc81610c6 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2578,6 +2578,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct
ue = nlmsg_data(nlh);
copy_to_user_state(x, &ue->state);
ue->hard = (c->data.hard != 0) ? 1 : 0;
+ /* clear the padding bytes */
+ memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard));
err = xfrm_mark_put(skb, &x->mark);
if (err)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH net 4/4] xfrm_user: fix info leak in build_aevent()
2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
` (2 preceding siblings ...)
2017-08-26 15:08 ` [PATCH net 3/4] xfrm_user: fix info leak in build_expire() Mathias Krause
@ 2017-08-26 15:09 ` Mathias Krause
2017-08-26 15:58 ` [PATCH net 0/4] xfrm_user info leaks Joe Perches
2017-08-28 22:52 ` David Miller
5 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:09 UTC (permalink / raw)
To: Steffen Klassert, David S. Miller, Herbert Xu
Cc: netdev, Mathias Krause, Jamal Hadi Salim
The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the sa_id before filling it.
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Fixes: d51d081d6504 ("[IPSEC]: Sync series - user")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 2cbdc81610c6..9391ced05259 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1869,6 +1869,7 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct
return -EMSGSIZE;
id = nlmsg_data(nlh);
+ memset(&id->sa_id, 0, sizeof(id->sa_id));
memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr));
id->sa_id.spi = x->id.spi;
id->sa_id.family = x->props.family;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH net 0/4] xfrm_user info leaks
2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
` (3 preceding siblings ...)
2017-08-26 15:09 ` [PATCH net 4/4] xfrm_user: fix info leak in build_aevent() Mathias Krause
@ 2017-08-26 15:58 ` Joe Perches
2017-08-26 19:56 ` Mathias Krause
2017-08-28 22:52 ` David Miller
5 siblings, 1 reply; 9+ messages in thread
From: Joe Perches @ 2017-08-26 15:58 UTC (permalink / raw)
To: Mathias Krause, Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev
On Sat, 2017-08-26 at 17:08 +0200, Mathias Krause wrote:
> Hi David, Steffen,
>
> the following series fixes a few info leaks due to missing padding byte
> initialization in the xfrm_user netlink interface.
Were these found by inspection or by some tool?
If by tool, perhaps there are other _to_user cases?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net 0/4] xfrm_user info leaks
2017-08-26 15:58 ` [PATCH net 0/4] xfrm_user info leaks Joe Perches
@ 2017-08-26 19:56 ` Mathias Krause
0 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 19:56 UTC (permalink / raw)
To: Joe Perches; +Cc: Steffen Klassert, David S. Miller, Herbert Xu, netdev
On 26 August 2017 at 17:58, Joe Perches <joe@perches.com> wrote:
> On Sat, 2017-08-26 at 17:08 +0200, Mathias Krause wrote:
>> Hi David, Steffen,
>>
>> the following series fixes a few info leaks due to missing padding byte
>> initialization in the xfrm_user netlink interface.
>
> Were these found by inspection or by some tool?
> If by tool, perhaps there are other _to_user cases?
I found the one in the offload API by manual inspection, looked around
a little and found the others. No tool involved.
I already looked at the xfrm_user API back in 2012 and fixed quite a
few info leaks but missed the ones in the netlink multicast
notification code :/
Regards,
Mathias
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net 0/4] xfrm_user info leaks
2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
` (4 preceding siblings ...)
2017-08-26 15:58 ` [PATCH net 0/4] xfrm_user info leaks Joe Perches
@ 2017-08-28 22:52 ` David Miller
2017-08-29 4:43 ` Steffen Klassert
5 siblings, 1 reply; 9+ messages in thread
From: David Miller @ 2017-08-28 22:52 UTC (permalink / raw)
To: minipli; +Cc: steffen.klassert, herbert, netdev
From: Mathias Krause <minipli@googlemail.com>
Date: Sat, 26 Aug 2017 17:08:56 +0200
> Hi David, Steffen,
>
> the following series fixes a few info leaks due to missing padding byte
> initialization in the xfrm_user netlink interface.
>
> Please apply!
Steffen please pick this up if you haven't already.
Thank you.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net 0/4] xfrm_user info leaks
2017-08-28 22:52 ` David Miller
@ 2017-08-29 4:43 ` Steffen Klassert
0 siblings, 0 replies; 9+ messages in thread
From: Steffen Klassert @ 2017-08-29 4:43 UTC (permalink / raw)
To: David Miller; +Cc: minipli, herbert, netdev
On Mon, Aug 28, 2017 at 03:52:32PM -0700, David Miller wrote:
> From: Mathias Krause <minipli@googlemail.com>
> Date: Sat, 26 Aug 2017 17:08:56 +0200
>
> > Hi David, Steffen,
> >
> > the following series fixes a few info leaks due to missing padding byte
> > initialization in the xfrm_user netlink interface.
> >
> > Please apply!
>
> Steffen please pick this up if you haven't already.
I had it already in the ipsec/testing branch, now merged into
ipsec/master.
Thanks everyone!
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-08-29 4:43 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
2017-08-26 15:08 ` [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload() Mathias Krause
2017-08-26 15:08 ` [PATCH net 2/4] xfrm_user: fix info leak in xfrm_notify_sa() Mathias Krause
2017-08-26 15:08 ` [PATCH net 3/4] xfrm_user: fix info leak in build_expire() Mathias Krause
2017-08-26 15:09 ` [PATCH net 4/4] xfrm_user: fix info leak in build_aevent() Mathias Krause
2017-08-26 15:58 ` [PATCH net 0/4] xfrm_user info leaks Joe Perches
2017-08-26 19:56 ` Mathias Krause
2017-08-28 22:52 ` David Miller
2017-08-29 4:43 ` Steffen Klassert
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.