On Tue, 2015-05-12 at 11:50 -0600, Jason Gunthorpe wrote:
> On Tue, May 12, 2015 at 01:14:26PM -0400, Doug Ledford wrote:
> > On Fri, 2015-05-08 at 15:53 -0600, Jason Gunthorpe wrote:
> > > On Fri, May 08, 2015 at 04:36:33PM -0500, Tatyana Nikolova wrote:
> > > > The string iwpm_ulib_name is recorded in a nlmsg as a netlink attribute.
> > > > Without this fix parsing of the nlmsg by the userspace port mapper service fails
> > > > because of unknown attribute length, causing the port mapper service not to
> > > > register the client, which has sent the nlmsg.
> > >
> > > Reviewed-By: Jason Gunthorpe <jgunthorpe@xxxxxxxxxxxxxxxxxxxx>
> > >
> > > This actually will copy some kernel memory to userspace. I think the
> > > overflow is in .text, so probably not a security issue..
> >
> > It shouldn't be in the .text section.
>
> Pedantically, that is right, it is an archaic colloquialism to refer
> to the entire set of post-link read-only sections as .text. (typically
> the linker used to merge everything into .text)
>
> I realize now I didn't consider modules when looking into this. No
> time right now, can you check if there is any chance the read can
> overflow past the page allocated to the module's .rodata?
>
> > char array, so it should be in one of the data sections. And since we
> > are using an initializer smaller than the specific size of the array, I
> > would expect all of the unitialized bits to be 0.
>
> I was talking about the situation before the patch.
Sorry, my misunderstanding.
--
Doug Ledford <dledford@xxxxxxxxxx>
GPG KeyID: 0E572FDD
Attachment:
signature.asc
Description: This is a digitally signed message part