linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt
@ 2009-02-11 14:56 Clément LECIGNE
  2009-02-11 21:45 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Clément LECIGNE @ 2009-02-11 14:56 UTC (permalink / raw)
  To: linux-kernel

[-- Attachment #1: Type: text/plain, Size: 647 bytes --]

Hello lkml,

In function sock_getsockopt() located in net/core/sock.c, optval v.val is  
not correctly initialized and directly returned in userland in case we  
have SO_BSDCOMPAT option set.

This dummy code should trigger the bug:

int main(void)
{
         unsigned char buf[4] = { 0, 0, 0, 0 };
         int len;
         int sock;
         sock = socket(33, 2, 2);
         getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
         printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
         close(sock);
}

Here is a patch that fix this bug by initalizing v.val just after its  
declaration.

Bests,

-- 
Clément LECIGNE,
:%s/coin/& coin/g

[-- Attachment #2: sock.bsdcompat.patch --]
[-- Type: application/octet-stream, Size: 332 bytes --]

--- linux/net/core/sock.c        2008-11-26 14:37:17.000000000 -0800
+++ linux/net/core/sock.c        2008-11-26 14:37:45.000000000 -0800
@@ -695,6 +695,8 @@
        if (len < 0)
                return -EINVAL;
 
+       v.val = 0;
+
        switch(optname) {
        case SO_DEBUG:
                v.val = sock_flag(sk, SOCK_DBG);

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt
  2009-02-11 14:56 [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt Clément LECIGNE
@ 2009-02-11 21:45 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2009-02-11 21:45 UTC (permalink / raw)
  To: clement.lecigne; +Cc: linux-kernel, netdev

From: Clément LECIGNE <clement.lecigne@netasq.com>
Date: Wed, 11 Feb 2009 15:56:56 +0100

> Hello lkml,
> 
> In function sock_getsockopt() located in net/core/sock.c, optval v.val is not correctly initialized and directly returned in userland in case we have SO_BSDCOMPAT option set.
> 
> This dummy code should trigger the bug:

Some problems with your patch:

1) Your patch doesn't apply properly.  It has been corrupted.

   Somehow, even though you used an attachment, tab characters were
   transformed into spaces.

2) Networking patches should be sent with at least
   netdev@vger.kernel.org CC:'d so that your patch gets
   properly traced at http://patchwork.ozlabs.org/project/netdev/list/

3) You need to provide a proper "Signed-off-by:" line with your
   patch description.  See linux/Documentation/SubmittingPatches
   for details.

Please fix these issues up and resubmit your patch.

Thank you.


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-02-11 21:46 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-02-11 14:56 [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt Clément LECIGNE
2009-02-11 21:45 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).