From: Norbert Slusarek <nslusarek@gmx.net>
To: Patrick Menschel <menschel.p@posteo.de>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>,
mkl@pengutronix.de, davem@davemloft.net, kuba@kernel.org,
linux-can@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH] can: bcm: fix infoleak in struct bcm_msg_head
Date: Sun, 13 Jun 2021 15:35:48 +0200 [thread overview]
Message-ID: <trinity-0d8be729-1e3c-452c-8171-962963abed0d-1623591348277@3c-app-gmx-bap71> (raw)
In-Reply-To: <34cc6b6a-6eb0-f3ce-1864-9057b80fab9e@posteo.de>
>Hi,
>
>1.
>Are you sure this leak really happens on 64-bit and not on 32-bit instead?
>
>I remember I got the problems with bcm msg head on the 32bit raspberry
>pi because I missed the alignment by accident.
>
>When I calculate the size of msg head on a Ryzen 1800X with Python
>3.9.5, I get:
>
>struct.calcsize("IIIllllII"),struct.calcsize("IIIllllII0q")
>(56, 56)
>
>First Value is raw, the second value is the alignment hack with the zero
>length quad word "0q".
>
>On the 32bit raspberry pi, same op results in the gap.
>
>struct.calcsize("IIIllllII"),struct.calcsize("IIIllllII0q")
>(36, 40)
Hey Patrick,
having reproduced this leak I could only observe the issue on 64-bit systems.
I've just tested it on a 32-bit OS running on a raspberry pi and I couldn't observe
any leak. The offset difference on 32-bit between count and ival1 is 4.
On 64-bit systems, it's 8:
(gdb) ptype struct bcm_msg_head
type = struct bcm_msg_head {
__u32 opcode;
__u32 flags;
__u32 count;
struct bcm_timeval ival1;
struct bcm_timeval ival2;
canid_t can_id;
__u32 nframes;
struct can_frame frames[0];
}
(gdb) p/x &((struct bcm_msg_head *)0x0)->count
$1 = 0x8
(gdb) p/x &((struct bcm_msg_head *)0x0)->ival1
$2 = 0x10
(gdb) p sizeof(((struct bcm_msg_head *)0x0)->count)
$3 = 4
>2.
>Finding stucts with non-zero-ed gaps should be easy with a skript or
>even better with a GCC directive. I believe Syzbot does such a thing too.
>
>Kind Regards,
>Patrick Menschel
I didn't notice any syzbot report about this leak, nor did I find it with syzkaller.
Norbert
next prev parent reply other threads:[~2021-06-13 13:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-12 21:09 [PATCH] can: bcm: fix infoleak in struct bcm_msg_head Norbert Slusarek
2021-06-13 9:51 ` Oliver Hartkopp
2021-06-13 11:18 ` Patrick Menschel
2021-06-13 13:35 ` Norbert Slusarek [this message]
2021-06-13 15:36 ` Patrick Menschel
2021-06-13 18:33 ` Norbert Slusarek
2021-06-14 7:20 ` Marc Kleine-Budde
2021-06-15 20:40 ` Norbert Slusarek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=trinity-0d8be729-1e3c-452c-8171-962963abed0d-1623591348277@3c-app-gmx-bap71 \
--to=nslusarek@gmx.net \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=menschel.p@posteo.de \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=socketcan@hartkopp.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.