linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* 'skb' buffer address information leakage
@ 2017-07-04  5:12 Dison River
  2017-07-04  5:27 ` Jakub Kicinski
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Dison River @ 2017-07-04  5:12 UTC (permalink / raw)
  To: samuel, netdev, linux-kernel, qca_merez, kvalo, linux-wireless,
	jakub.kicinski, davem, oss-drivers, security, wil6210

Hi all:
I'd found several address leaks of "skb" buffer.When i have a
arbitrary address write vulnerability in kernel(enabled kASLR),I can
use skb's address find sk_destruct's address and overwrite it. And
then,invoke close(sock_fd) function can trigger the
shellcode(sk_destruct func).

In kernel 4.12-rc7
drivers/net/irda/vlsi_ir.c:326           seq_printf(seq, "skb=%p
data=%p hw=%p\n", rd->skb, rd->buf, rd->hw);
drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:167
         seq_printf(file, " frag=%p", skb);
drivers/net/wireless/ath/wil6210/debugfs.c:926           seq_printf(s,
"  SKB = 0x%p\n", skb);

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-07-04 18:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-04  5:12 'skb' buffer address information leakage Dison River
2017-07-04  5:27 ` Jakub Kicinski
2017-07-04  7:44 ` Greg KH
2017-07-04 18:13 ` Stephen Hemminger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).