[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABXRUiTEQs=qocLyQuGSXaAkk_tkA+=dQO=6EyhqfGeU3Pm_dg@mail.gmail.com>
Date: Thu, 18 Apr 2019 21:33:19 +0800
From: Fuqian Huang <huangfq.daxian@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel < 4.14.111 drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c
kernel address dumps to user space
In drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:320
ppm_destory will dump the address of ppm into dmesg,
which allows local user to read the kernel address via dmesg.
static void ppm_destroy(struct kref *kref)
{
...
pr_info("ippm: kref 0, destroy %s ppm 0x%p.\n",
ppm->ndev->name, ppm);
...
}
In drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:396
and drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:458
and drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:468,
cxgbi_ppm_init will dump the address of ppm into dmesg,
which allows local user to read the kernel address via dmesg.
int cxgbi_ppm_init(void **ppm_pp, struct net_device *ndev,
struct pci_dev *pdev, void *lldev,
struct cxgbi_tag_format *tformat,
unsigned int ppmax,
unsigned int llimit,
unsigned int start,
unsigned int reserve_factor)
{
...
if (ppm) {
pr_info("ippm: %s, ppm 0x%p,0x%p already initialized, %u/%u.\n",
ndev->name, ppm_pp, ppm, ppm->ppmax, ppmax);
kref_get(&ppm->refcnt);
return 1;
}
...
if (*ppm_pp) {
...
pr_info("ippm: %s, ppm 0x%p,0x%p already initialized, %u/%u.\n",
ndev->name, ppm_pp, *ppm_pp, ppm->ppmax, ppmax);
kref_get(&ppm->refcnt);
return 1;
}
...
pr_info("ippm %s: ppm 0x%p, 0x%p, base %u/%u, pg %lu,%u, rsvd %u,%u.\n",
ndev->name, ppm_pp, ppm, ppm->base_idx, ppm->ppmax, PAGE_SIZE,
ppm->tformat.pgsz_idx_dflt, ppm->pool_rsvd,
ppm->pool_index_max);
...
}
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
