* [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt
@ 2009-02-11 14:56 Clément LECIGNE
2009-02-11 21:45 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Clément LECIGNE @ 2009-02-11 14:56 UTC (permalink / raw)
To: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 647 bytes --]
Hello lkml,
In function sock_getsockopt() located in net/core/sock.c, optval v.val is
not correctly initialized and directly returned in userland in case we
have SO_BSDCOMPAT option set.
This dummy code should trigger the bug:
int main(void)
{
unsigned char buf[4] = { 0, 0, 0, 0 };
int len;
int sock;
sock = socket(33, 2, 2);
getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
close(sock);
}
Here is a patch that fix this bug by initalizing v.val just after its
declaration.
Bests,
--
Clément LECIGNE,
:%s/coin/& coin/g
[-- Attachment #2: sock.bsdcompat.patch --]
[-- Type: application/octet-stream, Size: 332 bytes --]
--- linux/net/core/sock.c 2008-11-26 14:37:17.000000000 -0800
+++ linux/net/core/sock.c 2008-11-26 14:37:45.000000000 -0800
@@ -695,6 +695,8 @@
if (len < 0)
return -EINVAL;
+ v.val = 0;
+
switch(optname) {
case SO_DEBUG:
v.val = sock_flag(sk, SOCK_DBG);
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt
2009-02-11 14:56 [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt Clément LECIGNE
@ 2009-02-11 21:45 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2009-02-11 21:45 UTC (permalink / raw)
To: clement.lecigne; +Cc: linux-kernel, netdev
From: Clément LECIGNE <clement.lecigne@netasq.com>
Date: Wed, 11 Feb 2009 15:56:56 +0100
> Hello lkml,
>
> In function sock_getsockopt() located in net/core/sock.c, optval v.val is not correctly initialized and directly returned in userland in case we have SO_BSDCOMPAT option set.
>
> This dummy code should trigger the bug:
Some problems with your patch:
1) Your patch doesn't apply properly. It has been corrupted.
Somehow, even though you used an attachment, tab characters were
transformed into spaces.
2) Networking patches should be sent with at least
netdev@vger.kernel.org CC:'d so that your patch gets
properly traced at http://patchwork.ozlabs.org/project/netdev/list/
3) You need to provide a proper "Signed-off-by:" line with your
patch description. See linux/Documentation/SubmittingPatches
for details.
Please fix these issues up and resubmit your patch.
Thank you.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-02-11 21:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-02-11 14:56 [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt Clément LECIGNE
2009-02-11 21:45 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).