Re: remote memory reading using arp?

From: Warchild (warchild@spoofed.org)
Date: Sat Apr 27 2002 - 16:19:02 EST

Next message: Ivan G.: "Re: Via-Rhine Driver - questions for D. Becker."
Previous message: Bryan Rittmeyer: "Re: remote memory reading using arp?"
In reply to: Bryan Rittmeyer: "Re: remote memory reading using arp?"
Next in thread: Andi Kleen: "Re: remote memory reading using arp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Apr 27, 2002 at 01:48:43PM -0700, Bryan Rittmeyer wrote:

> > [oh my god, i see userspace text strings in ARP packets]

*sigh*

> It's not the ARP layer that's causing the padding... Ethernet has a
> minimum transmit size of 64 bytes (everything below that is disgarded
> by hardware as a fragment), so the network device driver or
> the hardware itself will pad any Linux skb smaller than 60 bytes up to
> that size (so that it's 64 bytes after appending CRC32). Apparently, in
> some cases that's done by just transmitting whatever uninitialized
> memory follows skb->data, which, after the system has been running
> for a while, may be inside a page previously used by userspace.

That makes perfect sense. Thanks for the explanation.

> This is NOT a "remote memory reading" exploit, since there is no way to
> remotely control what address in memory gets used as padding. I guess
> you could packet blast a machine and hope to find something
> interesting, but that'd be a denial of service attack long before you
> got a complete view of system memory. In any case, it's arguably
> userspace's responsibility to clear any sensitive memory contents
> before exiting. I would be more concerned if you can find data
> from currently in use, userspace-allocated pages flying out as packet
> padding (i.e. if reading past skb->data pushes you into somebody else's
> page, which seems unlikely since new skb's tend to get allocated near
> the beginning of a page).

Correct. It'd take far too long and I'd go cross-eyed long before I got
anything other than useless garbage. Isn't this similar to the bug within
the last year that dealt with userland memory disclosure via tcp/icmp? What
was the "verdict" with that?

Please note that nowhere in my email did I use the word exploit.

> If you are really concerned you could probably patch the network driver
> to zero out memory that will be used as padding, though I don't think
> the security risk justifies that performance hit.

Agreed. It doesn't bother me much at all. I was just curious what was
going on.

thanks, and keep up the good work,

-warchild
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ivan G.: "Re: Via-Rhine Driver - questions for D. Becker."
Previous message: Bryan Rittmeyer: "Re: remote memory reading using arp?"
In reply to: Bryan Rittmeyer: "Re: remote memory reading using arp?"
Next in thread: Andi Kleen: "Re: remote memory reading using arp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue Apr 30 2002 - 22:00:15 EST