Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+rthh9mT9m8_3OTH1aE0ufW6x3Fwho-=L4YiigJWAPhTUrbtQ@mail.gmail.com>
Date: Tue, 23 Apr 2013 13:23:22 +0200
From: Mathias Krause <minipli@...glemail.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: Linux kernel: more net info leak fixes for v3.9

On Tue, Apr 23, 2013 at 12:22 PM, P J P <ppandit@...hat.com> wrote:
> +-- On Mon, 22 Apr 2013, cve-assign@...re.org wrote --+
> | ef3313e84acbf349caecae942ab3ab731471f1a1 CVE-2013-3223
>
>    *sax = (struct sockaddr_ax25 *)msg->msg_name;
>
> Here, - *sax - seems to point to users `msg_name' object, no?

no ;)

> Because of the earlier copy_from_user in net/socket.h:

net/socket.c, I guess. The copy_from_user is followed by
verify_iovec() that sets msg_name to "addr" -- a kernel stack
variable.

>
> ===
>   get_compat_msghdr(msg_sys, msg_compat)
>    OR
>   copy_from_user(msg_sys, msg, sizeof(struct msghdr)
> ===
>
> Is - memset(sax, 0, sizeof(full_sockaddr_ax25)) - setting users memory area?

No, for the above reason.

Please ask your colleagues at RedHat for any further explanations of
the code. AFAIK, oss-sec is no kernel hacker newbie forum ;)


Mathias

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.