oss-sec mailing list archives
CVE Request: Linux kernel net/rds max socket length checking
From: Marcus Meissner <meissner () suse de>
Date: Mon, 6 Aug 2012 09:48:50 +0200
Hi, Kernel memory information leak in the RDS protocol. (commit also has a testcase) https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=06b6a1cf6e776426766298d055bb3991957d90a7 Ciao, Marcus commit 06b6a1cf6e776426766298d055bb3991957d90a7 Author: Weiping Pan <wpan () redhat com> Date: Mon Jul 23 10:37:48 2012 +0800 rds: set correct msg_namelen Jay Fenlason (fenlason () redhat com) found a bug, that recvfrom() on an RDS socket can return the contents of random kernel memory to userspace if it was called with a address length larger than sizeof(struct sockaddr_in). rds_recvmsg() also fails to set the addr_len paramater properly before returning, but that's just a bug. There are also a number of cases wher recvfrom() can return an entirely bogus address. Anything in rds_recvmsg() that returns a non-negative value but does not go through the "sin = (struct sockaddr_in *)msg->msg_name;" code path at the end of the while(1) loop will return up to 128 bytes of kernel memory to userspace. And I write two test programs to reproduce this bug, you will see that in rds_server, fromAddr will be overwritten and the following sock_fd will be destroyed. Yes, it is the programmer's fault to set msg_namelen incorrectly, but it is better to make the kernel copy the real length of address to user space in such case. -- Open Linux Security Engineer Position at SUSE: http://bit.ly/Li4RbS
Current thread:
- CVE Request: Linux kernel net/rds max socket length checking Marcus Meissner (Aug 06)
- Re: CVE Request: Linux kernel net/rds max socket length checking Petr Matousek (Aug 06)