[PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try#2

From: Clement LECIGNE
Date: Thu Feb 12 2009 - 07:36:20 EST

Next message: KAMEZAWA Hiroyuki: "Re: [patch] rt: res_counter fix, v2"
Previous message: Peter Zijlstra: "Re: [patch] generic-ipi: remove kmalloc, cleanup"
Next in thread: David Miller: "Re: [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopttry #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

In function sock_getsockopt() located in net/core/sock.c, optval v.val
is not correctly initialized and directly returned in userland in case
we have SO_BSDCOMPAT option set.

This dummy code should trigger the bug:

int main(void)
{
unsigned char buf[4] = { 0, 0, 0, 0 };
int len;
int sock;
sock = socket(33, 2, 2);
getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
close(sock);
}

Here is a patch that fix this bug by initalizing v.val just after its declaration.

--- linux/net/core/sock.c.orig 2008-12-12 12:27:46.000000000 -0800
+++ linux/net/core/sock.c 2008-12-12 12:27:50.000000000 -0800
@@ -695,6 +695,8 @@ int sock_getsockopt(struct socket *sock,
if (len < 0)
return -EINVAL;

+ v.val = 0;
+
switch(optname) {
case SO_DEBUG:
v.val = sock_flag(sk, SOCK_DBG);

Signed-off-by: Clément Lecigne <clement.lecigne@xxxxxxxxxx>

--
Clément LECIGNE,
"In Python, how do you create a string of random characters?" -- "Read a Perl file!"
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: KAMEZAWA Hiroyuki: "Re: [patch] rt: res_counter fix, v2"
Previous message: Peter Zijlstra: "Re: [patch] generic-ipi: remove kmalloc, cleanup"
Next in thread: David Miller: "Re: [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopttry #2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]