Re: [PATCH] infiniband: core: fix information leak to userland

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 > Structure ib_uverbs_qp_attr is copied to userland with allmost all
 > fields uninitialized (140 bytes on x86).  It leads to leaking of
 > contents of kernel stack memory.

I don't think most of the fields are uninitialized... we have:

 	memset(&qp_attr, 0, sizeof qp_attr);

and then later on,

	ib_copy_qp_attr_to_user(&resp, &qp_attr);

which actually does initialize almost all of the fields in resp.  The
things that are missing are clearing out the reserved fields in the
structures, and also resp.qp_state never gets set.

I would suggest adding code to clear the reserved fields of structures
to ib_copy_qp_attr_to_user() and ib_copy_ah_attr_to_user(), since this
will fix what looks to be the same problem in ucma_init_qp_attr() (in
drivers/infiniband/core/ucma.c).

Sean, what is intended for qp_state handling here?  It seems
ib_copy_qp_attr_to_user() should either clear it or set it to something
sensible.

 - R.
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux