Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1182222pxb;
        Wed, 3 Nov 2021 20:11:23 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz6BS9XcWRBiP4mXwID7d+byili2FS6qvG8iKyT6C7IX8ce4i9q5t6mAe0i2s5yd06b6Tf+
X-Received: by 2002:a05:6402:203:: with SMTP id t3mr68296930edv.69.1635995483452;
        Wed, 03 Nov 2021 20:11:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1635995483; cv=none;
        d=google.com; s=arc-20160816;
        b=RpyA4wqZvgFs5stiGd4D+SCUs3UbMFJzRYa2VzAbPByrDNA5tJ4kkPFDHr1BCa8nIE
         /A0LycDCjNMt075L8WLkRo2RQpBQlM7tflEhEoQXiEcgDGfiQll4uxJ9FKRqR8EXR9Pz
         d5NfQ8nGV5rdVgmzXmUSszs+nAZkus3reK4ApHZ3UigqOyUevDFoc8Ob+cGBXyqu0sex
         PcHMca9vj82qQLxfdVFUMvawX60YMS8gt0kZWOyiy5vkFX5VnnfKIJyh/j85BguG1+aw
         00mdOh/0G8vTeVQa7PVLi/FvY9vE9lGYGKBZxdBltlbA2p9160IK80GtNl1HRRN0zz16
         osrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=0WKPz/ZeRoXF3sQd10dP+NWHOO9HPyrJzM/t8aB8TmY=;
        b=Usq9wFLHrcRNAVMN88MMcGjZIDp7pDJNvsH4qUOBA0B2MSLKXVfWD9TdzGmr9qWtvs
         p481kZFHvH7/zdCouzcNhcFJQzgRZDOJj+7Vn8RV7ERK/hB/t1V52Cm/BfSdJHAweFR1
         MnCLaKHXtfgaTXRWHC17LuWvGTnKQbgfGuV5RjpkIgABU9gFQlTqCDhZuam3gfoKML+S
         Dk9JGHv0Bk7O7+qP9RSbEqcOYuCtVwYUXvLN96rD8Zsl6BsCwkw4XO4wejWaQ4gaSKZf
         zlVjtLauXpaHsQBtI+Qm4g4j21oar6ximZDFyM05UC0+aL4Uy0QrBVCjupJDy25Lb36A
         bQKQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=Wjd9fo6b;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id he39si8256523ejc.410.2021.11.03.20.10.57;
        Wed, 03 Nov 2021 20:11:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=Wjd9fo6b;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230491AbhKDDKM (ORCPT <rfc822;ly15351151@gmail.com> + 99 others);
        Wed, 3 Nov 2021 23:10:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60180 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230084AbhKDDKF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Nov 2021 23:10:05 -0400
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74F7CC06127A;
        Wed,  3 Nov 2021 20:07:27 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id t127so11150780ybf.13;
        Wed, 03 Nov 2021 20:07:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=0WKPz/ZeRoXF3sQd10dP+NWHOO9HPyrJzM/t8aB8TmY=;
        b=Wjd9fo6bCdElVb1YXBrSNg3JCK1xq0lb12EgVc75FhmqjnhmHTbJ/jtsw3PYsZDlZm
         kYsh2SexP2mUIbZYwgzdxbZBrfuezC7qcE4cJ8WuUbJ1n7/z+TlETrbXjoc/xkNeYAq3
         T34zIMeOPZUBivg7aZdSIWsRTW8yFpW49O59x79jmgEDZ27Fzg6sN6+7l/lRTdaVKYWV
         SjAgsqe1JQRc57N6Tv0WKR4TFK8XvTJFgdwsCvww6mKCWbqDIkgnLbioKe6zBfiL7poY
         mXcjJwGjhXhM6JUWr18wjFJvZTaV/uePkP00x03kdkpTXGsMzVamHVgM8Y0yxw5D7RlH
         lx7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=0WKPz/ZeRoXF3sQd10dP+NWHOO9HPyrJzM/t8aB8TmY=;
        b=V7DQJ9siVWzmnOGYmSNtpTOWlTjhtOCL+lXybPeHn2p881uTwN7CyRzv3ZKN6DG5E3
         RxLDmXpEAwZWYwe9IUl5dl4gLv2aeW7KAWh3GKQBvVLnYiGjMD1wrPk69EpiKdEkZQRI
         4WFzx6p/JStuGLCD9ci1aa4L/4NJiHVJq5ZThoBuDSz508EGPiAUi/I0L++R9WO2uA2W
         wXENnRRvO3vZH/zZJ7FaZ+c8JPQAwoyJeWfj3sKdrJLh4wE/DVd1+SKb6fCdv8oNI8WK
         f54Vxos0cj2M0G1SqPWlKRv5teDY1LW2u596DQSymWcvj8T8tRF8gZ0O05bpfYyBD7U2
         36Hw==
X-Gm-Message-State: AOAM530fyQRTuib4yehYLC+kekaggDBRjAIC9TsUb3JKH8g4LopUKF+Q
        iQvGLQzwTHCRmR0re/vRWDXvEufTpJKtQajJpIo=
X-Received: by 2002:a25:bb0c:: with SMTP id z12mr54482892ybg.181.1635995246618;
 Wed, 03 Nov 2021 20:07:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAFcO6XMgwuz97EJN+8jh9PJ9seaUbousDBOh9sduM6MZ6MRHxA@mail.gmail.com>
 <20211103095308.7ff68a7f@kicinski-fedora-PC1C0HJN>
In-Reply-To: <20211103095308.7ff68a7f@kicinski-fedora-PC1C0HJN>
From:   butt3rflyh4ck <butterflyhuangxx@gmail.com>
Date:   Thu, 4 Nov 2021 11:07:16 +0800
Message-ID: <CAFcO6XPA5uR6PLqRYxNmie6jZkkZxpkyTzJmB7pyNNf17gg3Wg@mail.gmail.com>
Subject: Re: A kernel-infoleak bug in pppoe_getname() in drivers/net/ppp/pppoe.c
To:     Jakub Kicinski <kuba@kernel.org>
Cc:     mostrows@earthlink.net, "David S. Miller" <davem@davemloft.net>,
        Networking <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Bhaskar Chowdhury <unixbhaskar@gmail.com>,
        Guillaume Nault <gnault@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Ok, I will check. Oh, you are right.



On Thu, Nov 4, 2021 at 12:53 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 4 Nov 2021 00:14:31 +0800 butt3rflyh4ck wrote:
> > Hi, I report a kernel-infoleak bug in pppoe_getname()) in
> > drivers/net/ppp/pppoe.c.
> > And we can call getname ioctl to invoke pppoe_getname().
> >
> > ###anaylze
> > ```
> > static int pppoe_getname(struct socket *sock, struct sockaddr *uaddr,
> >   int peer)
> > {
> > int len = sizeof(struct sockaddr_pppox);
> > struct sockaddr_pppox sp;    ///--->  define a 'sp' in stack but does
> > not clear it
> >
> > sp.sa_family = AF_PPPOX;   ///---> sp.sa_family is a short type, just
>
> But the structure is marked as __packed.
>
> > 2 byte sizes.
> > sp.sa_protocol = PX_PROTO_OE;
> > memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa,
> >        sizeof(struct pppoe_addr));
> >
> > memcpy(uaddr, &sp, len);
> >
> > return len;
> > }
> > ```
> > There is an anonymous 2-byte hole after sa_family, make sure to clear it.
> >
> > ###fix
> > use memset() to clear the struct sockaddr_pppox sp.
> > ```
> > diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
> > index 3619520340b7..fec328ad7202 100644
> > --- a/drivers/net/ppp/pppoe.c
> > +++ b/drivers/net/ppp/pppoe.c
> > @@ -723,6 +723,11 @@ static int pppoe_getname(struct socket *sock,
> > struct sockaddr *uaddr,
> >         int len = sizeof(struct sockaddr_pppox);
> >         struct sockaddr_pppox sp;
> >
> > +       /* There is an anonymous 2-byte hole after sa_family,
> > +        * make sure to clear it.
> > +        */
> > +       memset(&sp, 0, len);
> > +
> >         sp.sa_family    = AF_PPPOX;
> >         sp.sa_protocol  = PX_PROTO_OE;
> >         memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa,
> > ```
> > The attachment is a patch.
>


--
Active Defense Lab of Venustech