Re: Information leak in llcp_sock_bind/llcp_raw_sock_bind

From: David Miller
Date: Tue Dec 15 2015 - 15:48:57 EST


From: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Date: Tue, 15 Dec 2015 21:45:16 +0100

> On Tue, Dec 15, 2015 at 9:36 PM, David Miller <davem@xxxxxxxxxxxxx> wrote:
>> From: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
>> Date: Tue, 15 Dec 2015 21:00:20 +0100
>>
>>> The problem is that llcp_sock_bind/llcp_raw_sock_bind do not check
>>> sockaddr_len passed in, so they copy stack garbage from stack into the
>>> socket and then return it in getsockname.
>>> This can defeat ASLR, leak crypto keys, etc.
>>
>> That's actually the first thing these functions do.
>>
>> They completely clear out the on-stack llcp_addr, then they copy only
>> as much as the user gave them, being careful not to use more than
>> sizeof(llcp_addr).
>>
>> memset(&llcp_addr, 0, sizeof(llcp_addr));
>> len = min_t(unsigned int, sizeof(llcp_addr), alen);
>> memcpy(&llcp_addr, addr, len);
>>
>> I don't see what the problem is, you'll need to be more specific.
>
> You are right. Sorry.
>
> There still seems to be a minor leak here:
>
> if (!addr || addr->sa_family != AF_NFC)
> return -EINVAL;
>
> addr->sa_family can be uninit.

That shouldn't matter at all, that can't cause socket state corruption.

I want to ask you if you are actually seeing kernel stack in that hexdump
you are posting? If so, how do you actually account for it? Nothing you
have shown so far make that clear.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/