On Fri, 2015-05-08 at 15:53 -0600, Jason Gunthorpe wrote: > On Fri, May 08, 2015 at 04:36:33PM -0500, Tatyana Nikolova wrote: > > The string iwpm_ulib_name is recorded in a nlmsg as a netlink attribute. > > Without this fix parsing of the nlmsg by the userspace port mapper service fails > > because of unknown attribute length, causing the port mapper service not to > > register the client, which has sent the nlmsg. > > Reviewed-By: Jason Gunthorpe <jgunthorpe@xxxxxxxxxxxxxxxxxxxx> > > This actually will copy some kernel memory to userspace. I think the > overflow is in .text, so probably not a security issue.. It shouldn't be in the .text section. This is defined as static const char array, so it should be in one of the data sections. And since we are using an initializer smaller than the specific size of the array, I would expect all of the unitialized bits to be 0. But, the proof is in the pudding. A quick compile and check show us: Contents of section .rodata: ... 01e0 69576172 70506f72 744d6170 70657255 iWarpPortMapperU 01f0 73657200 00000000 00000000 00000000 ser............. Yep, just right. It created a 32byte ro element, initialized it to 0, then put our text in it. This is exactly what will get copied in the nl message and is precisely what we want. Applied, thanks. -- Doug Ledford <dledford@xxxxxxxxxx> GPG KeyID: 0E572FDD
Attachment:
signature.asc
Description: This is a digitally signed message part