Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp644094pxb; Wed, 3 Nov 2021 09:57:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyYVPUscRuhUrIhlqYC7+OoG3TJg2DPvIa76hJRWXxFqIEbuqb398dHvQ2A15sH6U8iBnzX X-Received: by 2002:a50:e041:: with SMTP id g1mr60995226edl.4.1635958651932; Wed, 03 Nov 2021 09:57:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635958651; cv=none; d=google.com; s=arc-20160816; b=uIJgmXF64S1nJiVHeFnV4aBFJeKsyXi3Kq109+0OQI0ceZToanvgZWhJpsu41U8u1E KY70P1Pc9CxpjzGB46zrMq9YDNVItmREVmBcrbyFU1H8M4v5n5y9wOGGKW4FJhVZGmRB goMXb4OAXa1bfYlDBusCOP9BBMQECVjxfn+bxACRpxeobpBX48XDCG2eV7i90z7p2GHa VU1eqIV4NqtOJvJk0uksGH3qR9Wymgw9zRLPvgaL9lY/jbLUHnN4KAbJ6VajsZnAVcHn 95VX0kEyMKNY61zrwlvvAOl37yCML5dc7nNKTp3frJ/8xqB3pIuQ7dnyKggzBnHXhojM /fpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=spQ9tld+E5T/NYsEuFT4DVP7n6efeEtB1JMuOfYBUm4=; b=FOMbAc0V1bPZf9SGotDzNGhi80rqum5y8sQfyvwpFJTf4G7zqMDuPPxkyVlMTCys0k eAYjCzsXGz9YA7PigbY3BC0rFGr7DhBvBHbGLAT3Iv48Wtbf8pyUkg9VKViDSx8tx6gl Bala1W0EOvrAPl5fAteKuOogHnD3oU2610IDLDOI2jAjUhVCZts/mUboSmrTKJtPhF+b G3khjfVzDiJr3/bv/Bq1gxLvGAGiQ0Clc1C5qm57gVg4pKWuOQpOrrXUDlYWqBkmSH5m QEPZlhrp/RKsCA8aAYqQR/+254J1Y5BrcsYvk/HZwaGGZEIEZWZv1rJD746snedWAtQV AQqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=I7dCim+4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b10si3629377edt.156.2021.11.03.09.57.08; Wed, 03 Nov 2021 09:57:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=I7dCim+4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232968AbhKCQzq (ORCPT + 99 others); Wed, 3 Nov 2021 12:55:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:51478 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229894AbhKCQzq (ORCPT ); Wed, 3 Nov 2021 12:55:46 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 80F6661053; Wed, 3 Nov 2021 16:53:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1635958389; bh=J/ra1n98grRc6lMGiqPOQ/9x9bqlQ58qR8j6CXKXVjY=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=I7dCim+4lJ0ht9otBx8c9K4OQ8+0cDYEOJaRHqU8+Ms2gX9XCqVB9WUIZ+jJIxNHQ C1PmAHjvcfsCu5wHOMDWVvehch3ZpbTFu6QMbrGszcTx1l8kSwNyNchIHLtNX7Gb8j L1gdAw4PD9ynY+2qe2ilIAc3k2Li18sXlNoiKmtJqLQXbjA50FB/E/3vXr5CPGqDw7 GSLvO4734bb7oAjpSWLNIUgZf3Fl+XCNj6pdXAxGbABi3BJdPq+xH4tf6VCNgsXtfa CL/jiMnbdKPMESYVjuW16o2g2N/3BdNLXtmQCvmApz2+A0iPFjIRwrJrQfqddUjWzs vArvUgLgmVn3w== Date: Wed, 3 Nov 2021 09:53:08 -0700 From: Jakub Kicinski To: butt3rflyh4ck Cc: mostrows@earthlink.net, "David S. Miller" , Networking , LKML , Bhaskar Chowdhury , Guillaume Nault Subject: Re: A kernel-infoleak bug in pppoe_getname() in drivers/net/ppp/pppoe.c Message-ID: <20211103095308.7ff68a7f@kicinski-fedora-PC1C0HJN> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 4 Nov 2021 00:14:31 +0800 butt3rflyh4ck wrote: > Hi, I report a kernel-infoleak bug in pppoe_getname()) in > drivers/net/ppp/pppoe.c. > And we can call getname ioctl to invoke pppoe_getname(). > > ###anaylze > ``` > static int pppoe_getname(struct socket *sock, struct sockaddr *uaddr, > int peer) > { > int len = sizeof(struct sockaddr_pppox); > struct sockaddr_pppox sp; ///---> define a 'sp' in stack but does > not clear it > > sp.sa_family = AF_PPPOX; ///---> sp.sa_family is a short type, just But the structure is marked as __packed. > 2 byte sizes. > sp.sa_protocol = PX_PROTO_OE; > memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa, > sizeof(struct pppoe_addr)); > > memcpy(uaddr, &sp, len); > > return len; > } > ``` > There is an anonymous 2-byte hole after sa_family, make sure to clear it. > > ###fix > use memset() to clear the struct sockaddr_pppox sp. > ``` > diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c > index 3619520340b7..fec328ad7202 100644 > --- a/drivers/net/ppp/pppoe.c > +++ b/drivers/net/ppp/pppoe.c > @@ -723,6 +723,11 @@ static int pppoe_getname(struct socket *sock, > struct sockaddr *uaddr, > int len = sizeof(struct sockaddr_pppox); > struct sockaddr_pppox sp; > > + /* There is an anonymous 2-byte hole after sa_family, > + * make sure to clear it. > + */ > + memset(&sp, 0, len); > + > sp.sa_family = AF_PPPOX; > sp.sa_protocol = PX_PROTO_OE; > memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa, > ``` > The attachment is a patch.