Search Linux Wireless

Re: Information leak in llcp_sock_bind/llcp_raw_sock_bind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Date: Tue, 15 Dec 2015 21:45:16 +0100

> On Tue, Dec 15, 2015 at 9:36 PM, David Miller <davem@xxxxxxxxxxxxx> wrote:
>> From: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
>> Date: Tue, 15 Dec 2015 21:00:20 +0100
>>
>>> The problem is that llcp_sock_bind/llcp_raw_sock_bind do not check
>>> sockaddr_len passed in, so they copy stack garbage from stack into the
>>> socket and then return it in getsockname.
>>> This can defeat ASLR, leak crypto keys, etc.
>>
>> That's actually the first thing these functions do.
>>
>> They completely clear out the on-stack llcp_addr, then they copy only
>> as much as the user gave them, being careful not to use more than
>> sizeof(llcp_addr).
>>
>>         memset(&llcp_addr, 0, sizeof(llcp_addr));
>>         len = min_t(unsigned int, sizeof(llcp_addr), alen);
>>         memcpy(&llcp_addr, addr, len);
>>
>> I don't see what the problem is, you'll need to be more specific.
> 
> You are right. Sorry.
> 
> There still seems to be a minor leak here:
> 
>   if (!addr || addr->sa_family != AF_NFC)
>       return -EINVAL;
> 
> addr->sa_family can be uninit.

That shouldn't matter at all, that can't cause socket state corruption.

I want to ask you if you are actually seeing kernel stack in that hexdump
you are posting?  If so, how do you actually account for it?  Nothing you
have shown so far make that clear.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux