Le samedi 30 octobre 2010 Ã 18:26 +0400, Vasiliy Kulikov a Ãcrit :
> Structure cmsghdr is copied to userland with padding bytes
> unitialized on architectures where __kernel_size_t is unsigned long.
> It leads to leaking of contents of kernel stack memory.
>
> Signed-off-by: Vasiliy Kulikov <segooon@xxxxxxxxx>
> ---
> Compile tested.
>
> net/core/scm.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/net/core/scm.c b/net/core/scm.c
> index 413cab8..a4a9b70 100644
> --- a/net/core/scm.c
> +++ b/net/core/scm.c
> @@ -233,6 +233,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
> msg->msg_flags |= MSG_CTRUNC;
> cmlen = msg->msg_controllen;
> }
> + memset(&cmhdr, 0, sizeof(cmhdr));
> cmhdr.cmsg_level = level;
> cmhdr.cmsg_type = type;
> cmhdr.cmsg_len = cmlen;
???
struct cmsghdr {
__kernel_size_t cmsg_len; /* data byte count, including hdr */
int cmsg_level; /* originating protocol */
int cmsg_type; /* protocol-specific type */
};
Could you explain where are the padding bytes ?
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
