Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20131128180200.GL4118@order.stressinduktion.org>
Date: Thu, 28 Nov 2013 19:02:00 +0100
From: Hannes Frederic Sowa <hannes@...essinduktion.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux kernel: net: uninitialised memory leakage

Hello!

On Thu, Nov 28, 2013 at 11:10:46PM +0530, P J P wrote:
> Linux kernel built with the networking support(CONFIG_NET), is vulnerable 
> to a memory leakage flaw. It occurs while doing the recvmsg(2), 
> recvfrom(2), recvmmsg(2) socket calls.
> 
> A user/program could use this flaw to leak kernel memory bytes.
> 
> Upstream fix:
> -------------
>  -> 
>  https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=bceaa90240b6019ed73b49965eac7d167610be69

This patch does break stuff, a follow-up is needed which did not get
to Linus yet, but is already queued up for stable. Otherwise traceroute
is broken:

https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=85fbaa75037d0b6b786ff18658ddf0b4014ce2a4

I found other leaks in non-inet protocols:

https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=f3d3342602f8bcbf37d7c46641cb9bca7618eb1c

The protocols where I did remove msg_namelen = 0 where actually
safe. Some of the protocols I did not touch could leak up to 128 bytes
of uninitialized data from the stack.

Hardening against out-of-bounds writes:
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=68c6beb373955da0886d8f4f5995b3922ceda4be

Also there is a small 2-bytes memory leak in extended error reporting:
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=68c6beb373955da0886d8f4f5995b3922ceda4be

Greetings,

  Hannes

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.