oss-sec mailing list archives
Re: Re: Linux kernel: more net info leak fixes for v3.9
From: Mathias Krause <minipli () googlemail com>
Date: Tue, 23 Apr 2013 13:23:22 +0200
On Tue, Apr 23, 2013 at 12:22 PM, P J P <ppandit () redhat com> wrote:
+-- On Mon, 22 Apr 2013, cve-assign () mitre org wrote --+ | ef3313e84acbf349caecae942ab3ab731471f1a1 CVE-2013-3223 *sax = (struct sockaddr_ax25 *)msg->msg_name; Here, - *sax - seems to point to users `msg_name' object, no?
no ;)
Because of the earlier copy_from_user in net/socket.h:
net/socket.c, I guess. The copy_from_user is followed by verify_iovec() that sets msg_name to "addr" -- a kernel stack variable.
=== get_compat_msghdr(msg_sys, msg_compat) OR copy_from_user(msg_sys, msg, sizeof(struct msghdr) === Is - memset(sax, 0, sizeof(full_sockaddr_ax25)) - setting users memory area?
No, for the above reason. Please ask your colleagues at RedHat for any further explanations of the code. AFAIK, oss-sec is no kernel hacker newbie forum ;) Mathias
Current thread:
- Re: Re: Linux kernel: more net info leak fixes for v3.9, (continued)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 23)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 cve-assign (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Greg KH (Apr 22)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Petr Matousek (Apr 23)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 Mathias Krause (Apr 23)
- Re: Re: Linux kernel: more net info leak fixes for v3.9 P J P (Apr 23)