aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2013-04-07 16:42:40 -0400
committerDavid S. Miller <davem@davemloft.net>2013-04-07 16:42:40 -0400
commitf89e8a6432409c6cbd5c2b6bb90ea694fd558de3 (patch)
tree01aaa7cb29147cba0fcc1202a03bbf1af598be62
parent50a75a8914539c5dcd441c5f54d237a666a426fd (diff)
parentd5e0d0f607a7a029c6563a0470d88255c89a8d11 (diff)
Merge branch 'infoleaks'
Mathias Krause says: ==================== a few more info leak fixes in the recvmsg path. The error pattern here is the protocol specific recvmsg function is missing the msg_namelen assignment -- either completely or in early exit paths that do not result in errors in __sys_recvmsg()/sys_recvfrom() and, in turn, make them call move_addr_to_user(), leaking the then still uninitialized sockaddr_storage stack variable to userland. My audit was initiated by a rather coarse fix of the leak that can be found in the grsecurity patch, putting a penalty on protocols complying to the rules of recvmsg. So credits for finding the leak in the recvmsg path in __sys_recvmsg() should go to Brad! The buggy protocols/subsystems are rather obscure anyway. As a missing assignment of msg_namelen coupled with a missing filling of msg_name would only result in garbage -- the leak -- in case userland would care about that information, i.e. would provide a msg_name pointer. But obviously current userland does not. While auditing the code for the above pattern I found a few more 'uninitialized members' kind of leaks related to the msg_name filling. Those are fixed in this series, too. I have to admit, I failed to test all of the patches due to missing hardware, e.g. iucv depends on S390 -- hardware I've no access to :/ ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--net/atm/common.c2
-rw-r--r--net/ax25/af_ax25.c1
-rw-r--r--net/bluetooth/af_bluetooth.c4
-rw-r--r--net/bluetooth/rfcomm/sock.c1
-rw-r--r--net/bluetooth/sco.c1
-rw-r--r--net/caif/caif_socket.c2
-rw-r--r--net/irda/af_irda.c2
-rw-r--r--net/iucv/af_iucv.c2
-rw-r--r--net/l2tp/l2tp_ip6.c1
-rw-r--r--net/llc/af_llc.c2
-rw-r--r--net/netrom/af_netrom.c1
-rw-r--r--net/nfc/llcp/sock.c3
-rw-r--r--net/rose/af_rose.c1
-rw-r--r--net/tipc/socket.c7
-rw-r--r--net/vmw_vsock/af_vsock.c2
-rw-r--r--net/vmw_vsock/vmci_transport.c3
16 files changed, 32 insertions, 3 deletions
diff --git a/net/atm/common.c b/net/atm/common.c
index 7b491006eaf4..737bef59ce89 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -531,6 +531,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
531 struct sk_buff *skb; 531 struct sk_buff *skb;
532 int copied, error = -EINVAL; 532 int copied, error = -EINVAL;
533 533
534 msg->msg_namelen = 0;
535
534 if (sock->state != SS_CONNECTED) 536 if (sock->state != SS_CONNECTED)
535 return -ENOTCONN; 537 return -ENOTCONN;
536 538
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 7b11f8bc5071..e277e38f736b 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1642,6 +1642,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
1642 ax25_address src; 1642 ax25_address src;
1643 const unsigned char *mac = skb_mac_header(skb); 1643 const unsigned char *mac = skb_mac_header(skb);
1644 1644
1645 memset(sax, 0, sizeof(struct full_sockaddr_ax25));
1645 ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, 1646 ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
1646 &digi, NULL, NULL); 1647 &digi, NULL, NULL);
1647 sax->sax25_family = AF_AX25; 1648 sax->sax25_family = AF_AX25;
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index d3ee69b35a78..0d1b08cc76e1 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -230,6 +230,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
230 if (flags & (MSG_OOB)) 230 if (flags & (MSG_OOB))
231 return -EOPNOTSUPP; 231 return -EOPNOTSUPP;
232 232
233 msg->msg_namelen = 0;
234
233 skb = skb_recv_datagram(sk, flags, noblock, &err); 235 skb = skb_recv_datagram(sk, flags, noblock, &err);
234 if (!skb) { 236 if (!skb) {
235 if (sk->sk_shutdown & RCV_SHUTDOWN) 237 if (sk->sk_shutdown & RCV_SHUTDOWN)
@@ -237,8 +239,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
237 return err; 239 return err;
238 } 240 }
239 241
240 msg->msg_namelen = 0;
241
242 copied = skb->len; 242 copied = skb->len;
243 if (len < copied) { 243 if (len < copied) {
244 msg->msg_flags |= MSG_TRUNC; 244 msg->msg_flags |= MSG_TRUNC;
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index c23bae86263b..7c9224bcce17 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -608,6 +608,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
608 608
609 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { 609 if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
610 rfcomm_dlc_accept(d); 610 rfcomm_dlc_accept(d);
611 msg->msg_namelen = 0;
611 return 0; 612 return 0;
612 } 613 }
613 614
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index fad0302bdb32..fb6192c9812e 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -665,6 +665,7 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
665 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { 665 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
666 hci_conn_accept(pi->conn->hcon, 0); 666 hci_conn_accept(pi->conn->hcon, 0);
667 sk->sk_state = BT_CONFIG; 667 sk->sk_state = BT_CONFIG;
668 msg->msg_namelen = 0;
668 669
669 release_sock(sk); 670 release_sock(sk);
670 return 0; 671 return 0;
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 095259f83902..ff2ff3ce6965 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -286,6 +286,8 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
286 if (m->msg_flags&MSG_OOB) 286 if (m->msg_flags&MSG_OOB)
287 goto read_error; 287 goto read_error;
288 288
289 m->msg_namelen = 0;
290
289 skb = skb_recv_datagram(sk, flags, 0 , &ret); 291 skb = skb_recv_datagram(sk, flags, 0 , &ret);
290 if (!skb) 292 if (!skb)
291 goto read_error; 293 goto read_error;
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index d28e7f014cc6..e493b3397ae3 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
1386 1386
1387 IRDA_DEBUG(4, "%s()\n", __func__); 1387 IRDA_DEBUG(4, "%s()\n", __func__);
1388 1388
1389 msg->msg_namelen = 0;
1390
1389 skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, 1391 skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
1390 flags & MSG_DONTWAIT, &err); 1392 flags & MSG_DONTWAIT, &err);
1391 if (!skb) 1393 if (!skb)
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index a7d11ffe4284..bf6935820001 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -1328,6 +1328,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
1328 struct sk_buff *skb, *rskb, *cskb; 1328 struct sk_buff *skb, *rskb, *cskb;
1329 int err = 0; 1329 int err = 0;
1330 1330
1331 msg->msg_namelen = 0;
1332
1331 if ((sk->sk_state == IUCV_DISCONN) && 1333 if ((sk->sk_state == IUCV_DISCONN) &&
1332 skb_queue_empty(&iucv->backlog_skb_q) && 1334 skb_queue_empty(&iucv->backlog_skb_q) &&
1333 skb_queue_empty(&sk->sk_receive_queue) && 1335 skb_queue_empty(&sk->sk_receive_queue) &&
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index c74f5a91ff6a..b8a6039314e8 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -690,6 +690,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
690 lsa->l2tp_addr = ipv6_hdr(skb)->saddr; 690 lsa->l2tp_addr = ipv6_hdr(skb)->saddr;
691 lsa->l2tp_flowinfo = 0; 691 lsa->l2tp_flowinfo = 0;
692 lsa->l2tp_scope_id = 0; 692 lsa->l2tp_scope_id = 0;
693 lsa->l2tp_conn_id = 0;
693 if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL) 694 if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
694 lsa->l2tp_scope_id = IP6CB(skb)->iif; 695 lsa->l2tp_scope_id = IP6CB(skb)->iif;
695 } 696 }
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 88709882c464..48aaa89253e0 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -720,6 +720,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
720 int target; /* Read at least this many bytes */ 720 int target; /* Read at least this many bytes */
721 long timeo; 721 long timeo;
722 722
723 msg->msg_namelen = 0;
724
723 lock_sock(sk); 725 lock_sock(sk);
724 copied = -ENOTCONN; 726 copied = -ENOTCONN;
725 if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) 727 if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index d1fa1d9ffd2e..7fcb307dea47 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1173,6 +1173,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
1173 } 1173 }
1174 1174
1175 if (sax != NULL) { 1175 if (sax != NULL) {
1176 memset(sax, 0, sizeof(sax));
1176 sax->sax25_family = AF_NETROM; 1177 sax->sax25_family = AF_NETROM;
1177 skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, 1178 skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
1178 AX25_ADDR_LEN); 1179 AX25_ADDR_LEN);
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index 8f025746f337..6c94447ec414 100644
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -646,6 +646,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
646 646
647 pr_debug("%p %zu\n", sk, len); 647 pr_debug("%p %zu\n", sk, len);
648 648
649 msg->msg_namelen = 0;
650
649 lock_sock(sk); 651 lock_sock(sk);
650 652
651 if (sk->sk_state == LLCP_CLOSED && 653 if (sk->sk_state == LLCP_CLOSED &&
@@ -691,6 +693,7 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
691 693
692 pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap); 694 pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap);
693 695
696 memset(sockaddr, 0, sizeof(*sockaddr));
694 sockaddr->sa_family = AF_NFC; 697 sockaddr->sa_family = AF_NFC;
695 sockaddr->nfc_protocol = NFC_PROTO_NFC_DEP; 698 sockaddr->nfc_protocol = NFC_PROTO_NFC_DEP;
696 sockaddr->dsap = ui_cb->dsap; 699 sockaddr->dsap = ui_cb->dsap;
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index cf68e6e4054a..9c8347451597 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1253,6 +1253,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
1253 skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); 1253 skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
1254 1254
1255 if (srose != NULL) { 1255 if (srose != NULL) {
1256 memset(srose, 0, msg->msg_namelen);
1256 srose->srose_family = AF_ROSE; 1257 srose->srose_family = AF_ROSE;
1257 srose->srose_addr = rose->dest_addr; 1258 srose->srose_addr = rose->dest_addr;
1258 srose->srose_call = rose->dest_call; 1259 srose->srose_call = rose->dest_call;
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index a9622b6cd916..515ce38e4f4c 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -790,6 +790,7 @@ static void set_orig_addr(struct msghdr *m, struct tipc_msg *msg)
790 if (addr) { 790 if (addr) {
791 addr->family = AF_TIPC; 791 addr->family = AF_TIPC;
792 addr->addrtype = TIPC_ADDR_ID; 792 addr->addrtype = TIPC_ADDR_ID;
793 memset(&addr->addr, 0, sizeof(addr->addr));
793 addr->addr.id.ref = msg_origport(msg); 794 addr->addr.id.ref = msg_origport(msg);
794 addr->addr.id.node = msg_orignode(msg); 795 addr->addr.id.node = msg_orignode(msg);
795 addr->addr.name.domain = 0; /* could leave uninitialized */ 796 addr->addr.name.domain = 0; /* could leave uninitialized */
@@ -904,6 +905,9 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
904 goto exit; 905 goto exit;
905 } 906 }
906 907
908 /* will be updated in set_orig_addr() if needed */
909 m->msg_namelen = 0;
910
907 timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); 911 timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
908restart: 912restart:
909 913
@@ -1013,6 +1017,9 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
1013 goto exit; 1017 goto exit;
1014 } 1018 }
1015 1019
1020 /* will be updated in set_orig_addr() if needed */
1021 m->msg_namelen = 0;
1022
1016 target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len); 1023 target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
1017 timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); 1024 timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
1018 1025
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index d8079daf1bde..7f93e2a42d7a 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1670,6 +1670,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb,
1670 vsk = vsock_sk(sk); 1670 vsk = vsock_sk(sk);
1671 err = 0; 1671 err = 0;
1672 1672
1673 msg->msg_namelen = 0;
1674
1673 lock_sock(sk); 1675 lock_sock(sk);
1674 1676
1675 if (sk->sk_state != SS_CONNECTED) { 1677 if (sk->sk_state != SS_CONNECTED) {
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 1f6508e249ae..5e04d3d96285 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1736,6 +1736,8 @@ static int vmci_transport_dgram_dequeue(struct kiocb *kiocb,
1736 if (flags & MSG_OOB || flags & MSG_ERRQUEUE) 1736 if (flags & MSG_OOB || flags & MSG_ERRQUEUE)
1737 return -EOPNOTSUPP; 1737 return -EOPNOTSUPP;
1738 1738
1739 msg->msg_namelen = 0;
1740
1739 /* Retrieve the head sk_buff from the socket's receive queue. */ 1741 /* Retrieve the head sk_buff from the socket's receive queue. */
1740 err = 0; 1742 err = 0;
1741 skb = skb_recv_datagram(&vsk->sk, flags, noblock, &err); 1743 skb = skb_recv_datagram(&vsk->sk, flags, noblock, &err);
@@ -1768,7 +1770,6 @@ static int vmci_transport_dgram_dequeue(struct kiocb *kiocb,
1768 if (err) 1770 if (err)
1769 goto out; 1771 goto out;
1770 1772
1771 msg->msg_namelen = 0;
1772 if (msg->msg_name) { 1773 if (msg->msg_name) {
1773 struct sockaddr_vm *vm_addr; 1774 struct sockaddr_vm *vm_addr;
1774 1775
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-03 09:22:58 -0400