>Ouch, > >I should not skip lines while reading. >We're talking about different gaps as it seems. I didn't realize the gap >in front of ival1 before. > >There is also a gap in between nframes and frames[0]. >That one is caused by align(8) of data in struct can_frame. >It propagates upwards into that gap on 32bit arch. >You can find it if you actually fill frames[] with a frame. > >I found it while concatenating bcm_msg_head and a can frame into a >python bytearray which was too short for the raspberry pi as I forgot >the alignment. > >I came up with a format string "IIIllllII0q" for bcm_msg_head. > >Kind Regards, >Patrick I confirm that there is a similar 4-byte leak happening on 32-bit systems. It's possible to retrieve kernel addresses etc. which allows for a KASLR bypass. I will request a CVE and publish a notice regarding this on oss-security where I will mention Patrick too. Anyways, this patch seems to be working for the leak on 32-bit systems as well. Norbert
