linux kernel 2.6.37 rc1 net: packet fix information leak to userland

2011.01.06
Credit: Vasiliy Kulikov
Risk: Low
Local: Yes
Remote: No
CVE: CVE-2010-3876
CWE: CWE-200


CVSS Base Score: 1.9/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> --- net/packet/af_packet.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 3616f27..0856a13 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1719,7 +1719,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, rcu_read_lock(); dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); if (dev) - strlcpy(uaddr->sa_data, dev->name, 15); + strncpy(uaddr->sa_data, dev->name, 14); else memset(uaddr->sa_data, 0, 14); rcu_read_unlock(); @@ -1742,6 +1742,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, sll->sll_family = AF_PACKET; sll->sll_ifindex = po->ifindex; sll->sll_protocol = po->num; + sll->sll_pkttype = 0; rcu_read_lock(); dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); if (dev) { -- 1.7.0.4 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

References:

https://bugzilla.redhat.com/show_bug.cgi?id=649715
http://openwall.com/lists/oss-security/2010/11/04/5
http://openwall.com/lists/oss-security/2010/11/02/9
http://openwall.com/lists/oss-security/2010/11/02/7
http://openwall.com/lists/oss-security/2010/11/02/10
http://marc.info/?l=linux-netdev&m=128854507220908&w=2
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=67286640f638f5ad41a946b9a3dc75327950248f
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc2
http://openwall.com/lists/oss-security/2010/11/02/12


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top