Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 2 Nov 2010 15:08:46 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: kernel stack infoleaks

And since I've already gotten flack for this comment, I'll add for the
sake of clarity: the second item is not a security issue if
CAP_NET_RAW is synonymous with root access in your privilege model, as
is the case on most systems.

-Dan

On Tue, Nov 2, 2010 at 1:11 PM, Dan Rosenberg <dan.j.rosenberg@...il.com> wrote:
> Note that AF_PACKET requires CAP_NET_RAW to open a socket, so the
> second issue isn't reachable by unprivileged users and shouldn't be
> considered a security issue.
>
> -Dan
>
> On Tue, Nov 2, 2010 at 12:07 PM, Jon Oberheide <jon@...rheide.org> wrote:
>> Vasiliy Kulikov discovered three kernel stack infoleaks in various
>> packet families of the net subsystem:
>>
>> ===========================================================
>>
>> net/ax25
>>
>> Sometimes ax25_getname() doesn't initialize all members of
>> fsa_digipeater field of fsa struct.  This structure is then copied to
>> userland.  It leads to leaking of contents of kernel stack memory.  We
>> have to initialize them to zero.
>>
>> http://marc.info/?l=linux-netdev&m=128854507120898&w=2
>>
>> ===========================================================
>>
>> net/packet
>>
>> packet_getname_spkt() doesn't initialize all members of sa_data field of
>> sockaddr struct if strlen(dev->name) < 13.  This structure is then
>> copied to userland.  It leads to leaking of contents of kernel stack
>> memory.  We have to fully fill sa_data with strncpy() instead of
>> strlcpy().
>>
>> http://marc.info/?l=linux-netdev&m=128854507220908&w=2
>>
>> ===========================================================
>>
>> net/tipc
>>
>> Structure sockaddr_tipc is copied to userland with padding bytes after
>> "id" field in union field "name" unitialized.  It leads to leaking of
>> contents of kernel stack memory.  We have to initialize them to zero.
>>
>> http://marc.info/?l=linux-netdev&m=128854507420917&w=2
>>
>> ===========================================================
>>
>> Regards,
>> Jon Oberheide
>>
>> --
>> Jon Oberheide <jon@...rheide.org>
>> GnuPG Key: 1024D/F47C17FE
>> Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE
>>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ