From patchwork Wed Nov 3 16:14:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: butt3rflyh4ck X-Patchwork-Id: 12601135 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83EC8C433EF for ; Wed, 3 Nov 2021 16:14:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6B440610EA for ; Wed, 3 Nov 2021 16:14:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232778AbhKCQRU (ORCPT ); Wed, 3 Nov 2021 12:17:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232695AbhKCQRT (ORCPT ); Wed, 3 Nov 2021 12:17:19 -0400 Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D1CCC061714; Wed, 3 Nov 2021 09:14:43 -0700 (PDT) Received: by mail-yb1-xb2c.google.com with SMTP id v138so7596931ybb.8; Wed, 03 Nov 2021 09:14:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=ynPsHBohLn3SKvumzOxUie+tEBQ3FCXFTsINY6Z8pNk=; b=L+WBioVtmF87xia8MJsGH8LHdDwCC4LqLcEx80sLxUl4myqM2DrOCP+cKIQOe65/S6 6eDBvbZBkdM/fn2+VQocOTVAF+TXHBSQLGn1JoLAv5HZnnA6eQWCaE+CjjDdGB4F3MMz kzhPysn9Mr35+FgNOGKw9xf8jAitRZ9ZRxd/IFvaiXrJeGh5aSTJhe0raJnmI3VSeJLN A+ZzU2Q+dhn8UtjrHdw9GGvGs6ouWTdMGlGkQoNBALc4dGSRtBR/59Ib72egDaCjvJNF dR/WzRsDe1yeLDHTHQ4JhvLlAyZM74KFDDxPzpzKmCLG/k4GTFZjOnlFQO45ZbavWls1 QeGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=ynPsHBohLn3SKvumzOxUie+tEBQ3FCXFTsINY6Z8pNk=; b=GNv4SIB0G9UgKn905Me1hps/Di1TGcSthbsxrUAFNQeav2XwielaSbO/5eP75PZq7O 3EiVhab+FzQd7fR3J2jdEDgtkEzIj6cPJ9x+VzHMhHfPiER1PUCkoIu72EtaIkzRpYYU UyMA3R5/veFGFAtfe9eOhck6NOgj6zPWiPXsnqnX5xpZEqVghu8H/Adn6MwF1l3PksG0 Y0b714efpIri0pf0oyofisiIwsFzYgBjKYoN2oB7+f8aT/yjdcI5a50N16PfR1IcHSnA C/oWTJcc4NYT9E45MhScN/bnhBPX5xzyum1fRPujUpeYG666yr4PmulDRvshRXbgkpt4 mGUg== X-Gm-Message-State: AOAM533oHOSy5Ji2B9DdrMmJIW0Ad2rZhmnSUXMuxyEF024ambKFbmIR V4SeuUpNjF84XDnzqSTu5xjNSEV7h8QFwRxVp5aMFWwUNg7gKw== X-Google-Smtp-Source: ABdhPJzym2IXBcLof0GXZGMCUz1M9FgOASoar+5EWBFPRafbId/zCVhXcRContj8jzYQ9RYjYbYOsiUPcaLe82K+hPA= X-Received: by 2002:a25:cecd:: with SMTP id x196mr3066287ybe.63.1635956082701; Wed, 03 Nov 2021 09:14:42 -0700 (PDT) MIME-Version: 1.0 From: butt3rflyh4ck Date: Thu, 4 Nov 2021 00:14:31 +0800 Message-ID: Subject: A kernel-infoleak bug in pppoe_getname() in drivers/net/ppp/pppoe.c To: mostrows@earthlink.net, "David S. Miller" , Jakub Kicinski Cc: Networking , LKML Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi, I report a kernel-infoleak bug in pppoe_getname()) in drivers/net/ppp/pppoe.c. And we can call getname ioctl to invoke pppoe_getname(). ###anaylze ``` static int pppoe_getname(struct socket *sock, struct sockaddr *uaddr, int peer) { int len = sizeof(struct sockaddr_pppox); struct sockaddr_pppox sp; ///---> define a 'sp' in stack but does not clear it sp.sa_family = AF_PPPOX; ///---> sp.sa_family is a short type, just 2 byte sizes. sp.sa_protocol = PX_PROTO_OE; memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa, sizeof(struct pppoe_addr)); memcpy(uaddr, &sp, len); return len; } ``` There is an anonymous 2-byte hole after sa_family, make sure to clear it. ###fix use memset() to clear the struct sockaddr_pppox sp. ``` memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa, ``` The attachment is a patch. Regards, butt3rflyh4ck. From 5a2d0282931967dc9d90248221b3120e1e33551c Mon Sep 17 00:00:00 2001 From: Xiaolong Huang Date: Wed, 3 Nov 2021 23:33:55 +0800 Subject: [PATCH] net: ppp: pppoe: fix a kernel-infoleak in pppoe_getname() The struct sockaddr_pppox has a 2-byte hole, and pppoe_getname() currently does not clear it before copying kernel data to user space. Signed-off-by: Xiaolong Huang --- drivers/net/ppp/pppoe.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c index 3619520340b7..fec328ad7202 100644 --- a/drivers/net/ppp/pppoe.c +++ b/drivers/net/ppp/pppoe.c @@ -723,6 +723,11 @@ static int pppoe_getname(struct socket *sock, struct sockaddr *uaddr, int len = sizeof(struct sockaddr_pppox); struct sockaddr_pppox sp; + /* There is an anonymous 2-byte hole after sa_family, + * make sure to clear it. + */ + memset(&sp, 0, len); + sp.sa_family = AF_PPPOX; sp.sa_protocol = PX_PROTO_OE; memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa, -- 2.25.1