From: Norbert Slusarek <email@example.com> To: Patrick Menschel <firstname.lastname@example.org> Cc: Oliver Hartkopp <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org Subject: Re: [PATCH] can: bcm: fix infoleak in struct bcm_msg_head Date: Sun, 13 Jun 2021 20:33:31 +0200 [thread overview] Message-ID: <trinity-87eaea25-2a7d-4aa9-92a5-269b822e5d95-1623609211076@3c-app-gmx-bs04> (raw) In-Reply-To: <email@example.com> >Ouch, > >I should not skip lines while reading. >We're talking about different gaps as it seems. I didn't realize the gap >in front of ival1 before. > >There is also a gap in between nframes and frames. >That one is caused by align(8) of data in struct can_frame. >It propagates upwards into that gap on 32bit arch. >You can find it if you actually fill frames with a frame. > >I found it while concatenating bcm_msg_head and a can frame into a >python bytearray which was too short for the raspberry pi as I forgot >the alignment. > >I came up with a format string "IIIllllII0q" for bcm_msg_head. > >Kind Regards, >Patrick I confirm that there is a similar 4-byte leak happening on 32-bit systems. It's possible to retrieve kernel addresses etc. which allows for a KASLR bypass. I will request a CVE and publish a notice regarding this on oss-security where I will mention Patrick too. Anyways, this patch seems to be working for the leak on 32-bit systems as well. Norbert
next prev parent reply other threads:[~2021-06-13 18:33 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-06-12 21:09 Norbert Slusarek 2021-06-13 9:51 ` Oliver Hartkopp 2021-06-13 11:18 ` Patrick Menschel 2021-06-13 13:35 ` Norbert Slusarek 2021-06-13 15:36 ` Patrick Menschel 2021-06-13 18:33 ` Norbert Slusarek [this message] 2021-06-14 7:20 ` Marc Kleine-Budde 2021-06-15 20:40 ` Norbert Slusarek
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=trinity-87eaea25-2a7d-4aa9-92a5-269b822e5d95-1623609211076@3c-app-gmx-bs04 \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH] can: bcm: fix infoleak in struct bcm_msg_head' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).