All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net] can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can()
@ 2020-08-13 16:18 Eric Dumazet
  2020-08-13 17:06 ` Oleksij Rempel
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Dumazet @ 2020-08-13 16:18 UTC (permalink / raw)
  To: David S . Miller
  Cc: netdev, Eric Dumazet, Eric Dumazet, syzbot, Robin van der Gracht,
	Oleksij Rempel, Pengutronix Kernel Team, linux-can

syzbot found that at least 2 bytes of kernel information
were leaked during getsockname() on AF_CAN CAN_J1939 socket.

Since struct sockaddr_can has in fact two holes, simply
clear the whole area before filling it with useful data.

BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
CPU: 0 PID: 8466 Comm: syz-executor511 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x21c/0x280 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
 kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
 kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
 instrument_copy_to_user include/linux/instrumented.h:91 [inline]
 _copy_to_user+0x18e/0x260 lib/usercopy.c:39
 copy_to_user include/linux/uaccess.h:186 [inline]
 move_addr_to_user+0x3de/0x670 net/socket.c:237
 __sys_getsockname+0x407/0x5e0 net/socket.c:1909
 __do_sys_getsockname net/socket.c:1920 [inline]
 __se_sys_getsockname+0x91/0xb0 net/socket.c:1917
 __x64_sys_getsockname+0x4a/0x70 net/socket.c:1917
 do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440219
Code: Bad RIP value.
RSP: 002b:00007ffe5ee150c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000033
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
RDX: 0000000020000240 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a20
R13: 0000000000401ab0 R14: 0000000000000000 R15: 0000000000000000

Local variable ----address@__sys_getsockname created at:
 __sys_getsockname+0x91/0x5e0 net/socket.c:1894
 __sys_getsockname+0x91/0x5e0 net/socket.c:1894

Bytes 2-3 of 24 are uninitialized
Memory access of size 24 starts at ffff8880ba2c7de8
Data copied to user address 0000000020000100

Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Robin van der Gracht <robin@protonic.nl>
Cc: Oleksij Rempel <o.rempel@pengutronix.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Cc: linux-can@vger.kernel.org
---
 net/can/j1939/socket.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
index 78ff9b3f1d40c732ba39b2402b5099ba84f8a4a5..3db0973e6d31ddf5267d8c56d3b8cedb800e78fd 100644
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -553,6 +553,11 @@ static int j1939_sk_connect(struct socket *sock, struct sockaddr *uaddr,
 static void j1939_sk_sock2sockaddr_can(struct sockaddr_can *addr,
 				       const struct j1939_sock *jsk, int peer)
 {
+	/* There are two holes (2 bytes and 3 bytes) to clear to avoid
+	 * leaking kernel information to user space.
+	*/
+	memset(addr, 0, J1939_MIN_NAMELEN);
+
 	addr->can_family = AF_CAN;
 	addr->can_ifindex = jsk->ifindex;
 	addr->can_addr.j1939.pgn = jsk->addr.pgn;
-- 
2.28.0.220.ged08abb693-goog


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH net] can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can()
  2020-08-13 16:18 [PATCH net] can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can() Eric Dumazet
@ 2020-08-13 17:06 ` Oleksij Rempel
  0 siblings, 0 replies; 2+ messages in thread
From: Oleksij Rempel @ 2020-08-13 17:06 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: David S . Miller, netdev, Eric Dumazet, syzbot,
	Robin van der Gracht, Pengutronix Kernel Team, linux-can

Hi Eric,

On Thu, Aug 13, 2020 at 09:18:34AM -0700, Eric Dumazet wrote:
> syzbot found that at least 2 bytes of kernel information
> were leaked during getsockname() on AF_CAN CAN_J1939 socket.
> 
> Since struct sockaddr_can has in fact two holes, simply
> clear the whole area before filling it with useful data.
> 
> BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
> CPU: 0 PID: 8466 Comm: syz-executor511 Not tainted 5.8.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x21c/0x280 lib/dump_stack.c:118
>  kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
>  kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
>  kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
>  instrument_copy_to_user include/linux/instrumented.h:91 [inline]
>  _copy_to_user+0x18e/0x260 lib/usercopy.c:39
>  copy_to_user include/linux/uaccess.h:186 [inline]
>  move_addr_to_user+0x3de/0x670 net/socket.c:237
>  __sys_getsockname+0x407/0x5e0 net/socket.c:1909
>  __do_sys_getsockname net/socket.c:1920 [inline]
>  __se_sys_getsockname+0x91/0xb0 net/socket.c:1917
>  __x64_sys_getsockname+0x4a/0x70 net/socket.c:1917
>  do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386
>  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x440219
> Code: Bad RIP value.
> RSP: 002b:00007ffe5ee150c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000033
> RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
> RDX: 0000000020000240 RSI: 0000000020000100 RDI: 0000000000000003
> RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a20
> R13: 0000000000401ab0 R14: 0000000000000000 R15: 0000000000000000
> 
> Local variable ----address@__sys_getsockname created at:
>  __sys_getsockname+0x91/0x5e0 net/socket.c:1894
>  __sys_getsockname+0x91/0x5e0 net/socket.c:1894
> 
> Bytes 2-3 of 24 are uninitialized
> Memory access of size 24 starts at ffff8880ba2c7de8
> Data copied to user address 0000000020000100
> 
> Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Cc: Robin van der Gracht <robin@protonic.nl>
> Cc: Oleksij Rempel <o.rempel@pengutronix.de>
> Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
> Cc: linux-can@vger.kernel.org

Thank you for your patch!
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>

> ---
>  net/can/j1939/socket.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
> index 78ff9b3f1d40c732ba39b2402b5099ba84f8a4a5..3db0973e6d31ddf5267d8c56d3b8cedb800e78fd 100644
> --- a/net/can/j1939/socket.c
> +++ b/net/can/j1939/socket.c
> @@ -553,6 +553,11 @@ static int j1939_sk_connect(struct socket *sock, struct sockaddr *uaddr,
>  static void j1939_sk_sock2sockaddr_can(struct sockaddr_can *addr,
>  				       const struct j1939_sock *jsk, int peer)
>  {
> +	/* There are two holes (2 bytes and 3 bytes) to clear to avoid
> +	 * leaking kernel information to user space.
> +	*/
> +	memset(addr, 0, J1939_MIN_NAMELEN);
> +
>  	addr->can_family = AF_CAN;
>  	addr->can_ifindex = jsk->ifindex;
>  	addr->can_addr.j1939.pgn = jsk->addr.pgn;
> -- 
> 2.28.0.220.ged08abb693-goog
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-08-13 17:06 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-13 16:18 [PATCH net] can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can() Eric Dumazet
2020-08-13 17:06 ` Oleksij Rempel

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.