Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 2 Nov 2010 13:11:00 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: kernel stack infoleaks

Note that AF_PACKET requires CAP_NET_RAW to open a socket, so the
second issue isn't reachable by unprivileged users and shouldn't be
considered a security issue.

-Dan

On Tue, Nov 2, 2010 at 12:07 PM, Jon Oberheide <jon@...rheide.org> wrote:
> Vasiliy Kulikov discovered three kernel stack infoleaks in various
> packet families of the net subsystem:
>
> ===========================================================
>
> net/ax25
>
> Sometimes ax25_getname() doesn't initialize all members of
> fsa_digipeater field of fsa struct.  This structure is then copied to
> userland.  It leads to leaking of contents of kernel stack memory.  We
> have to initialize them to zero.
>
> http://marc.info/?l=linux-netdev&m=128854507120898&w=2
>
> ===========================================================
>
> net/packet
>
> packet_getname_spkt() doesn't initialize all members of sa_data field of
> sockaddr struct if strlen(dev->name) < 13.  This structure is then
> copied to userland.  It leads to leaking of contents of kernel stack
> memory.  We have to fully fill sa_data with strncpy() instead of
> strlcpy().
>
> http://marc.info/?l=linux-netdev&m=128854507220908&w=2
>
> ===========================================================
>
> net/tipc
>
> Structure sockaddr_tipc is copied to userland with padding bytes after
> "id" field in union field "name" unitialized.  It leads to leaking of
> contents of kernel stack memory.  We have to initialize them to zero.
>
> http://marc.info/?l=linux-netdev&m=128854507420917&w=2
>
> ===========================================================
>
> Regards,
> Jon Oberheide
>
> --
> Jon Oberheide <jon@...rheide.org>
> GnuPG Key: 1024D/F47C17FE
> Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ