Re: net/dev: fix information leak to userspace

From: Cong Wang
Date: Sun Mar 21 2021 - 21:08:50 EST

Next message: kernel test robot: "arch/sh/kernel/signal_32.c:484:54: sparse: sparse: incorrect type in argument 1 (different base types)"
Previous message: Yunsheng Lin: "Re: [Linuxarm] Re: [RFC v2] net: sched: implement TCQ_F_CAN_BYPASS for lockless qdisc"
In reply to: Pavel Machek: "net/dev: fix information leak to userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Mar 21, 2021 at 9:34 AM Pavel Machek <pavel@xxxxxxx> wrote:
>
> dev_get_mac_address() does not always initialize whole
> structure. Unfortunately, other code copies such structure to
> userspace, leaking information. Fix it.

Well, most callers already initialize it with a memset() or copy_from_user(),
for example, __tun_chr_ioctl():

if (cmd == TUNSETIFF || cmd == TUNSETQUEUE ||
(_IOC_TYPE(cmd) == SOCK_IOC_TYPE && cmd != SIOCGSKNS)) {
if (copy_from_user(&ifr, argp, ifreq_len))
return -EFAULT;
} else {
memset(&ifr, 0, sizeof(ifr));
}

Except tap_ioctl(), but we can just initialize 'sa' there instead of doing
it in dev_get_mac_address().

Thanks.

Next message: kernel test robot: "arch/sh/kernel/signal_32.c:484:54: sparse: sparse: incorrect type in argument 1 (different base types)"
Previous message: Yunsheng Lin: "Re: [Linuxarm] Re: [RFC v2] net: sched: implement TCQ_F_CAN_BYPASS for lockless qdisc"
In reply to: Pavel Machek: "net/dev: fix information leak to userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]