All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net 0/4] xfrm_user info leaks
@ 2017-08-26 15:08 Mathias Krause
  2017-08-26 15:08 ` [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload() Mathias Krause
                   ` (5 more replies)
  0 siblings, 6 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:08 UTC (permalink / raw)
  To: Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev, Mathias Krause

Hi David, Steffen,

the following series fixes a few info leaks due to missing padding byte
initialization in the xfrm_user netlink interface.

Please apply!

Mathias Krause (4):
  xfrm_user: fix info leak in copy_user_offload()
  xfrm_user: fix info leak in xfrm_notify_sa()
  xfrm_user: fix info leak in build_expire()
  xfrm_user: fix info leak in build_aevent()

 net/xfrm/xfrm_user.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

-- 
1.7.10.4

^ permalink raw reply	[flat|nested] 9+ messages in thread
* [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload()
  2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
@ 2017-08-26 15:08 ` Mathias Krause
  2017-08-26 15:08 ` [PATCH net 2/4] xfrm_user: fix info leak in xfrm_notify_sa() Mathias Krause
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:08 UTC (permalink / raw)
  To: Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev, Mathias Krause

The memory reserved to dump the xfrm offload state includes padding
bytes of struct xfrm_user_offload added by the compiler for alignment.
Add an explicit memset(0) before filling the buffer to avoid the heap
info leak.

Cc: Steffen Klassert <steffen.klassert@secunet.com>
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
 net/xfrm/xfrm_user.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 2be4c6af008a..3259555ae7d7 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -796,7 +796,7 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb
 		return -EMSGSIZE;
 
 	xuo = nla_data(attr);
-
+	memset(xuo, 0, sizeof(*xuo));
 	xuo->ifindex = xso->dev->ifindex;
 	xuo->flags = xso->flags;
 
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [PATCH net 2/4] xfrm_user: fix info leak in xfrm_notify_sa()
  2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
  2017-08-26 15:08 ` [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload() Mathias Krause
@ 2017-08-26 15:08 ` Mathias Krause
  2017-08-26 15:08 ` [PATCH net 3/4] xfrm_user: fix info leak in build_expire() Mathias Krause
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:08 UTC (permalink / raw)
  To: Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev, Mathias Krause

The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the whole struct before filling
it.

Cc: Herbert Xu <herbert@gondor.apana.org.au>
Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
 net/xfrm/xfrm_user.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 3259555ae7d7..c33516ef52f2 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2715,6 +2715,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
 		struct nlattr *attr;
 
 		id = nlmsg_data(nlh);
+		memset(id, 0, sizeof(*id));
 		memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr));
 		id->spi = x->id.spi;
 		id->family = x->props.family;
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [PATCH net 3/4] xfrm_user: fix info leak in build_expire()
  2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
  2017-08-26 15:08 ` [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload() Mathias Krause
  2017-08-26 15:08 ` [PATCH net 2/4] xfrm_user: fix info leak in xfrm_notify_sa() Mathias Krause
@ 2017-08-26 15:08 ` Mathias Krause
  2017-08-26 15:09 ` [PATCH net 4/4] xfrm_user: fix info leak in build_aevent() Mathias Krause
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:08 UTC (permalink / raw)
  To: Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev, Mathias Krause

The memory reserved to dump the expired xfrm state includes padding
bytes in struct xfrm_user_expire added by the compiler for alignment. To
prevent the heap info leak, memset(0) the remainder of the struct.
Initializing the whole structure isn't needed as copy_to_user_state()
already takes care of clearing the padding bytes within the 'state'
member.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
 net/xfrm/xfrm_user.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c33516ef52f2..2cbdc81610c6 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2578,6 +2578,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct
 	ue = nlmsg_data(nlh);
 	copy_to_user_state(x, &ue->state);
 	ue->hard = (c->data.hard != 0) ? 1 : 0;
+	/* clear the padding bytes */
+	memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard));
 
 	err = xfrm_mark_put(skb, &x->mark);
 	if (err)
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 9+ messages in thread
* [PATCH net 4/4] xfrm_user: fix info leak in build_aevent()
  2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
                   ` (2 preceding siblings ...)
  2017-08-26 15:08 ` [PATCH net 3/4] xfrm_user: fix info leak in build_expire() Mathias Krause
@ 2017-08-26 15:09 ` Mathias Krause
  2017-08-26 15:58 ` [PATCH net 0/4] xfrm_user info leaks Joe Perches
  2017-08-28 22:52 ` David Miller
  5 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 15:09 UTC (permalink / raw)
  To: Steffen Klassert, David S. Miller, Herbert Xu
  Cc: netdev, Mathias Krause, Jamal Hadi Salim

The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the sa_id before filling it.

Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Fixes: d51d081d6504 ("[IPSEC]: Sync series - user")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
 net/xfrm/xfrm_user.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 2cbdc81610c6..9391ced05259 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1869,6 +1869,7 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct
 		return -EMSGSIZE;
 
 	id = nlmsg_data(nlh);
+	memset(&id->sa_id, 0, sizeof(id->sa_id));
 	memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr));
 	id->sa_id.spi = x->id.spi;
 	id->sa_id.family = x->props.family;
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 9+ messages in thread
* Re: [PATCH net 0/4] xfrm_user info leaks
  2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
                   ` (3 preceding siblings ...)
  2017-08-26 15:09 ` [PATCH net 4/4] xfrm_user: fix info leak in build_aevent() Mathias Krause
@ 2017-08-26 15:58 ` Joe Perches
  2017-08-26 19:56   ` Mathias Krause
  2017-08-28 22:52 ` David Miller
  5 siblings, 1 reply; 9+ messages in thread
From: Joe Perches @ 2017-08-26 15:58 UTC (permalink / raw)
  To: Mathias Krause, Steffen Klassert, David S. Miller, Herbert Xu; +Cc: netdev

On Sat, 2017-08-26 at 17:08 +0200, Mathias Krause wrote:
> Hi David, Steffen,
> 
> the following series fixes a few info leaks due to missing padding byte
> initialization in the xfrm_user netlink interface.

Were these found by inspection or by some tool?
If by tool, perhaps there are other _to_user cases?

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: [PATCH net 0/4] xfrm_user info leaks
  2017-08-26 15:58 ` [PATCH net 0/4] xfrm_user info leaks Joe Perches
@ 2017-08-26 19:56   ` Mathias Krause
  0 siblings, 0 replies; 9+ messages in thread
From: Mathias Krause @ 2017-08-26 19:56 UTC (permalink / raw)
  To: Joe Perches; +Cc: Steffen Klassert, David S. Miller, Herbert Xu, netdev

On 26 August 2017 at 17:58, Joe Perches <joe@perches.com> wrote:
> On Sat, 2017-08-26 at 17:08 +0200, Mathias Krause wrote:
>> Hi David, Steffen,
>>
>> the following series fixes a few info leaks due to missing padding byte
>> initialization in the xfrm_user netlink interface.
>
> Were these found by inspection or by some tool?
> If by tool, perhaps there are other _to_user cases?

I found the one in the offload API by manual inspection, looked around
a little and found the others. No tool involved.

I already looked at the xfrm_user API back in 2012 and fixed quite a
few info leaks but missed the ones in the netlink multicast
notification code :/


Regards,
Mathias

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: [PATCH net 0/4] xfrm_user info leaks
  2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
                   ` (4 preceding siblings ...)
  2017-08-26 15:58 ` [PATCH net 0/4] xfrm_user info leaks Joe Perches
@ 2017-08-28 22:52 ` David Miller
  2017-08-29  4:43   ` Steffen Klassert
  5 siblings, 1 reply; 9+ messages in thread
From: David Miller @ 2017-08-28 22:52 UTC (permalink / raw)
  To: minipli; +Cc: steffen.klassert, herbert, netdev

From: Mathias Krause <minipli@googlemail.com>
Date: Sat, 26 Aug 2017 17:08:56 +0200

> Hi David, Steffen,
> 
> the following series fixes a few info leaks due to missing padding byte
> initialization in the xfrm_user netlink interface.
> 
> Please apply!

Steffen please pick this up if you haven't already.

Thank you.

^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re: [PATCH net 0/4] xfrm_user info leaks
  2017-08-28 22:52 ` David Miller
@ 2017-08-29  4:43   ` Steffen Klassert
  0 siblings, 0 replies; 9+ messages in thread
From: Steffen Klassert @ 2017-08-29  4:43 UTC (permalink / raw)
  To: David Miller; +Cc: minipli, herbert, netdev

On Mon, Aug 28, 2017 at 03:52:32PM -0700, David Miller wrote:
> From: Mathias Krause <minipli@googlemail.com>
> Date: Sat, 26 Aug 2017 17:08:56 +0200
> 
> > Hi David, Steffen,
> > 
> > the following series fixes a few info leaks due to missing padding byte
> > initialization in the xfrm_user netlink interface.
> > 
> > Please apply!
> 
> Steffen please pick this up if you haven't already.

I had it already in the ipsec/testing branch, now merged into
ipsec/master.

Thanks everyone!

^ permalink raw reply	[flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-08-29  4:43 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-26 15:08 [PATCH net 0/4] xfrm_user info leaks Mathias Krause
2017-08-26 15:08 ` [PATCH net 1/4] xfrm_user: fix info leak in copy_user_offload() Mathias Krause
2017-08-26 15:08 ` [PATCH net 2/4] xfrm_user: fix info leak in xfrm_notify_sa() Mathias Krause
2017-08-26 15:08 ` [PATCH net 3/4] xfrm_user: fix info leak in build_expire() Mathias Krause
2017-08-26 15:09 ` [PATCH net 4/4] xfrm_user: fix info leak in build_aevent() Mathias Krause
2017-08-26 15:58 ` [PATCH net 0/4] xfrm_user info leaks Joe Perches
2017-08-26 19:56   ` Mathias Krause
2017-08-28 22:52 ` David Miller
2017-08-29  4:43   ` Steffen Klassert

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.