Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1182222pxb; Wed, 3 Nov 2021 20:11:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz6BS9XcWRBiP4mXwID7d+byili2FS6qvG8iKyT6C7IX8ce4i9q5t6mAe0i2s5yd06b6Tf+ X-Received: by 2002:a05:6402:203:: with SMTP id t3mr68296930edv.69.1635995483452; Wed, 03 Nov 2021 20:11:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635995483; cv=none; d=google.com; s=arc-20160816; b=RpyA4wqZvgFs5stiGd4D+SCUs3UbMFJzRYa2VzAbPByrDNA5tJ4kkPFDHr1BCa8nIE /A0LycDCjNMt075L8WLkRo2RQpBQlM7tflEhEoQXiEcgDGfiQll4uxJ9FKRqR8EXR9Pz d5NfQ8nGV5rdVgmzXmUSszs+nAZkus3reK4ApHZ3UigqOyUevDFoc8Ob+cGBXyqu0sex PcHMca9vj82qQLxfdVFUMvawX60YMS8gt0kZWOyiy5vkFX5VnnfKIJyh/j85BguG1+aw 00mdOh/0G8vTeVQa7PVLi/FvY9vE9lGYGKBZxdBltlbA2p9160IK80GtNl1HRRN0zz16 osrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=0WKPz/ZeRoXF3sQd10dP+NWHOO9HPyrJzM/t8aB8TmY=; b=Usq9wFLHrcRNAVMN88MMcGjZIDp7pDJNvsH4qUOBA0B2MSLKXVfWD9TdzGmr9qWtvs p481kZFHvH7/zdCouzcNhcFJQzgRZDOJj+7Vn8RV7ERK/hB/t1V52Cm/BfSdJHAweFR1 MnCLaKHXtfgaTXRWHC17LuWvGTnKQbgfGuV5RjpkIgABU9gFQlTqCDhZuam3gfoKML+S Dk9JGHv0Bk7O7+qP9RSbEqcOYuCtVwYUXvLN96rD8Zsl6BsCwkw4XO4wejWaQ4gaSKZf zlVjtLauXpaHsQBtI+Qm4g4j21oar6ximZDFyM05UC0+aL4Uy0QrBVCjupJDy25Lb36A bQKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Wjd9fo6b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id he39si8256523ejc.410.2021.11.03.20.10.57; Wed, 03 Nov 2021 20:11:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Wjd9fo6b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230491AbhKDDKM (ORCPT + 99 others); Wed, 3 Nov 2021 23:10:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230084AbhKDDKF (ORCPT ); Wed, 3 Nov 2021 23:10:05 -0400 Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74F7CC06127A; Wed, 3 Nov 2021 20:07:27 -0700 (PDT) Received: by mail-yb1-xb2b.google.com with SMTP id t127so11150780ybf.13; Wed, 03 Nov 2021 20:07:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0WKPz/ZeRoXF3sQd10dP+NWHOO9HPyrJzM/t8aB8TmY=; b=Wjd9fo6bCdElVb1YXBrSNg3JCK1xq0lb12EgVc75FhmqjnhmHTbJ/jtsw3PYsZDlZm kYsh2SexP2mUIbZYwgzdxbZBrfuezC7qcE4cJ8WuUbJ1n7/z+TlETrbXjoc/xkNeYAq3 T34zIMeOPZUBivg7aZdSIWsRTW8yFpW49O59x79jmgEDZ27Fzg6sN6+7l/lRTdaVKYWV SjAgsqe1JQRc57N6Tv0WKR4TFK8XvTJFgdwsCvww6mKCWbqDIkgnLbioKe6zBfiL7poY mXcjJwGjhXhM6JUWr18wjFJvZTaV/uePkP00x03kdkpTXGsMzVamHVgM8Y0yxw5D7RlH lx7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0WKPz/ZeRoXF3sQd10dP+NWHOO9HPyrJzM/t8aB8TmY=; b=V7DQJ9siVWzmnOGYmSNtpTOWlTjhtOCL+lXybPeHn2p881uTwN7CyRzv3ZKN6DG5E3 RxLDmXpEAwZWYwe9IUl5dl4gLv2aeW7KAWh3GKQBvVLnYiGjMD1wrPk69EpiKdEkZQRI 4WFzx6p/JStuGLCD9ci1aa4L/4NJiHVJq5ZThoBuDSz508EGPiAUi/I0L++R9WO2uA2W wXENnRRvO3vZH/zZJ7FaZ+c8JPQAwoyJeWfj3sKdrJLh4wE/DVd1+SKb6fCdv8oNI8WK f54Vxos0cj2M0G1SqPWlKRv5teDY1LW2u596DQSymWcvj8T8tRF8gZ0O05bpfYyBD7U2 36Hw== X-Gm-Message-State: AOAM530fyQRTuib4yehYLC+kekaggDBRjAIC9TsUb3JKH8g4LopUKF+Q iQvGLQzwTHCRmR0re/vRWDXvEufTpJKtQajJpIo= X-Received: by 2002:a25:bb0c:: with SMTP id z12mr54482892ybg.181.1635995246618; Wed, 03 Nov 2021 20:07:26 -0700 (PDT) MIME-Version: 1.0 References: <20211103095308.7ff68a7f@kicinski-fedora-PC1C0HJN> In-Reply-To: <20211103095308.7ff68a7f@kicinski-fedora-PC1C0HJN> From: butt3rflyh4ck Date: Thu, 4 Nov 2021 11:07:16 +0800 Message-ID: Subject: Re: A kernel-infoleak bug in pppoe_getname() in drivers/net/ppp/pppoe.c To: Jakub Kicinski Cc: mostrows@earthlink.net, "David S. Miller" , Networking , LKML , Bhaskar Chowdhury , Guillaume Nault Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Ok, I will check. Oh, you are right. On Thu, Nov 4, 2021 at 12:53 AM Jakub Kicinski wrote: > > On Thu, 4 Nov 2021 00:14:31 +0800 butt3rflyh4ck wrote: > > Hi, I report a kernel-infoleak bug in pppoe_getname()) in > > drivers/net/ppp/pppoe.c. > > And we can call getname ioctl to invoke pppoe_getname(). > > > > ###anaylze > > ``` > > static int pppoe_getname(struct socket *sock, struct sockaddr *uaddr, > > int peer) > > { > > int len = sizeof(struct sockaddr_pppox); > > struct sockaddr_pppox sp; ///---> define a 'sp' in stack but does > > not clear it > > > > sp.sa_family = AF_PPPOX; ///---> sp.sa_family is a short type, just > > But the structure is marked as __packed. > > > 2 byte sizes. > > sp.sa_protocol = PX_PROTO_OE; > > memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa, > > sizeof(struct pppoe_addr)); > > > > memcpy(uaddr, &sp, len); > > > > return len; > > } > > ``` > > There is an anonymous 2-byte hole after sa_family, make sure to clear it. > > > > ###fix > > use memset() to clear the struct sockaddr_pppox sp. > > ``` > > diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c > > index 3619520340b7..fec328ad7202 100644 > > --- a/drivers/net/ppp/pppoe.c > > +++ b/drivers/net/ppp/pppoe.c > > @@ -723,6 +723,11 @@ static int pppoe_getname(struct socket *sock, > > struct sockaddr *uaddr, > > int len = sizeof(struct sockaddr_pppox); > > struct sockaddr_pppox sp; > > > > + /* There is an anonymous 2-byte hole after sa_family, > > + * make sure to clear it. > > + */ > > + memset(&sp, 0, len); > > + > > sp.sa_family = AF_PPPOX; > > sp.sa_protocol = PX_PROTO_OE; > > memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa, > > ``` > > The attachment is a patch. > -- Active Defense Lab of Venustech