diff options
| author | Mathias Krause <minipli@googlemail.com> | 2013-09-30 16:03:06 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-10-02 16:03:50 -0400 |
| commit | e727ca82e0e9616ab4844301e6bae60ca7327682 (patch) | |
| tree | f9e161f1ec2cba611a40603b3b9c4d5244930bab /drivers/connector | |
| parent | c31eeaced22ce8bd61268a3c595d542bb38c0a4f (diff) | |
proc connector: fix info leaks
Initialize event_data for all possible message types to prevent leaking
kernel stack contents to userland (up to 20 bytes). Also set the flags
member of the connector message to 0 to prevent leaking two more stack
bytes this way.
Cc: stable@vger.kernel.org # v2.6.15+
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/connector')
| -rw-r--r-- | drivers/connector/cn_proc.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c index 08ae128cce9b..c73fc2b74de2 100644 --- a/drivers/connector/cn_proc.c +++ b/drivers/connector/cn_proc.c | |||
| @@ -65,6 +65,7 @@ void proc_fork_connector(struct task_struct *task) | |||
| 65 | 65 | ||
| 66 | msg = (struct cn_msg *)buffer; | 66 | msg = (struct cn_msg *)buffer; |
| 67 | ev = (struct proc_event *)msg->data; | 67 | ev = (struct proc_event *)msg->data; |
| 68 | memset(&ev->event_data, 0, sizeof(ev->event_data)); | ||
| 68 | get_seq(&msg->seq, &ev->cpu); | 69 | get_seq(&msg->seq, &ev->cpu); |
| 69 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ | 70 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ |
| 70 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); | 71 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); |
| @@ -80,6 +81,7 @@ void proc_fork_connector(struct task_struct *task) | |||
| 80 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); | 81 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); |
| 81 | msg->ack = 0; /* not used */ | 82 | msg->ack = 0; /* not used */ |
| 82 | msg->len = sizeof(*ev); | 83 | msg->len = sizeof(*ev); |
| 84 | msg->flags = 0; /* not used */ | ||
| 83 | /* If cn_netlink_send() failed, the data is not sent */ | 85 | /* If cn_netlink_send() failed, the data is not sent */ |
| 84 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); | 86 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); |
| 85 | } | 87 | } |
| @@ -96,6 +98,7 @@ void proc_exec_connector(struct task_struct *task) | |||
| 96 | 98 | ||
| 97 | msg = (struct cn_msg *)buffer; | 99 | msg = (struct cn_msg *)buffer; |
| 98 | ev = (struct proc_event *)msg->data; | 100 | ev = (struct proc_event *)msg->data; |
| 101 | memset(&ev->event_data, 0, sizeof(ev->event_data)); | ||
| 99 | get_seq(&msg->seq, &ev->cpu); | 102 | get_seq(&msg->seq, &ev->cpu); |
| 100 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ | 103 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ |
| 101 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); | 104 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); |
| @@ -106,6 +109,7 @@ void proc_exec_connector(struct task_struct *task) | |||
| 106 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); | 109 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); |
| 107 | msg->ack = 0; /* not used */ | 110 | msg->ack = 0; /* not used */ |
| 108 | msg->len = sizeof(*ev); | 111 | msg->len = sizeof(*ev); |
| 112 | msg->flags = 0; /* not used */ | ||
| 109 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); | 113 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); |
| 110 | } | 114 | } |
| 111 | 115 | ||
| @@ -122,6 +126,7 @@ void proc_id_connector(struct task_struct *task, int which_id) | |||
| 122 | 126 | ||
| 123 | msg = (struct cn_msg *)buffer; | 127 | msg = (struct cn_msg *)buffer; |
| 124 | ev = (struct proc_event *)msg->data; | 128 | ev = (struct proc_event *)msg->data; |
| 129 | memset(&ev->event_data, 0, sizeof(ev->event_data)); | ||
| 125 | ev->what = which_id; | 130 | ev->what = which_id; |
| 126 | ev->event_data.id.process_pid = task->pid; | 131 | ev->event_data.id.process_pid = task->pid; |
| 127 | ev->event_data.id.process_tgid = task->tgid; | 132 | ev->event_data.id.process_tgid = task->tgid; |
| @@ -145,6 +150,7 @@ void proc_id_connector(struct task_struct *task, int which_id) | |||
| 145 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); | 150 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); |
| 146 | msg->ack = 0; /* not used */ | 151 | msg->ack = 0; /* not used */ |
| 147 | msg->len = sizeof(*ev); | 152 | msg->len = sizeof(*ev); |
| 153 | msg->flags = 0; /* not used */ | ||
| 148 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); | 154 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); |
| 149 | } | 155 | } |
| 150 | 156 | ||
| @@ -160,6 +166,7 @@ void proc_sid_connector(struct task_struct *task) | |||
| 160 | 166 | ||
| 161 | msg = (struct cn_msg *)buffer; | 167 | msg = (struct cn_msg *)buffer; |
| 162 | ev = (struct proc_event *)msg->data; | 168 | ev = (struct proc_event *)msg->data; |
| 169 | memset(&ev->event_data, 0, sizeof(ev->event_data)); | ||
| 163 | get_seq(&msg->seq, &ev->cpu); | 170 | get_seq(&msg->seq, &ev->cpu); |
| 164 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ | 171 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ |
| 165 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); | 172 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); |
| @@ -170,6 +177,7 @@ void proc_sid_connector(struct task_struct *task) | |||
| 170 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); | 177 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); |
| 171 | msg->ack = 0; /* not used */ | 178 | msg->ack = 0; /* not used */ |
| 172 | msg->len = sizeof(*ev); | 179 | msg->len = sizeof(*ev); |
| 180 | msg->flags = 0; /* not used */ | ||
| 173 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); | 181 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); |
| 174 | } | 182 | } |
| 175 | 183 | ||
| @@ -185,6 +193,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) | |||
| 185 | 193 | ||
| 186 | msg = (struct cn_msg *)buffer; | 194 | msg = (struct cn_msg *)buffer; |
| 187 | ev = (struct proc_event *)msg->data; | 195 | ev = (struct proc_event *)msg->data; |
| 196 | memset(&ev->event_data, 0, sizeof(ev->event_data)); | ||
| 188 | get_seq(&msg->seq, &ev->cpu); | 197 | get_seq(&msg->seq, &ev->cpu); |
| 189 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ | 198 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ |
| 190 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); | 199 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); |
| @@ -203,6 +212,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) | |||
| 203 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); | 212 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); |
| 204 | msg->ack = 0; /* not used */ | 213 | msg->ack = 0; /* not used */ |
| 205 | msg->len = sizeof(*ev); | 214 | msg->len = sizeof(*ev); |
| 215 | msg->flags = 0; /* not used */ | ||
| 206 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); | 216 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); |
| 207 | } | 217 | } |
| 208 | 218 | ||
| @@ -218,6 +228,7 @@ void proc_comm_connector(struct task_struct *task) | |||
| 218 | 228 | ||
| 219 | msg = (struct cn_msg *)buffer; | 229 | msg = (struct cn_msg *)buffer; |
| 220 | ev = (struct proc_event *)msg->data; | 230 | ev = (struct proc_event *)msg->data; |
| 231 | memset(&ev->event_data, 0, sizeof(ev->event_data)); | ||
| 221 | get_seq(&msg->seq, &ev->cpu); | 232 | get_seq(&msg->seq, &ev->cpu); |
| 222 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ | 233 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ |
| 223 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); | 234 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); |
| @@ -229,6 +240,7 @@ void proc_comm_connector(struct task_struct *task) | |||
| 229 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); | 240 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); |
| 230 | msg->ack = 0; /* not used */ | 241 | msg->ack = 0; /* not used */ |
| 231 | msg->len = sizeof(*ev); | 242 | msg->len = sizeof(*ev); |
| 243 | msg->flags = 0; /* not used */ | ||
| 232 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); | 244 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); |
| 233 | } | 245 | } |
| 234 | 246 | ||
| @@ -244,6 +256,7 @@ void proc_coredump_connector(struct task_struct *task) | |||
| 244 | 256 | ||
| 245 | msg = (struct cn_msg *)buffer; | 257 | msg = (struct cn_msg *)buffer; |
| 246 | ev = (struct proc_event *)msg->data; | 258 | ev = (struct proc_event *)msg->data; |
| 259 | memset(&ev->event_data, 0, sizeof(ev->event_data)); | ||
| 247 | get_seq(&msg->seq, &ev->cpu); | 260 | get_seq(&msg->seq, &ev->cpu); |
| 248 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ | 261 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ |
| 249 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); | 262 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); |
| @@ -254,6 +267,7 @@ void proc_coredump_connector(struct task_struct *task) | |||
| 254 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); | 267 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); |
| 255 | msg->ack = 0; /* not used */ | 268 | msg->ack = 0; /* not used */ |
| 256 | msg->len = sizeof(*ev); | 269 | msg->len = sizeof(*ev); |
| 270 | msg->flags = 0; /* not used */ | ||
| 257 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); | 271 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); |
| 258 | } | 272 | } |
| 259 | 273 | ||
| @@ -269,6 +283,7 @@ void proc_exit_connector(struct task_struct *task) | |||
| 269 | 283 | ||
| 270 | msg = (struct cn_msg *)buffer; | 284 | msg = (struct cn_msg *)buffer; |
| 271 | ev = (struct proc_event *)msg->data; | 285 | ev = (struct proc_event *)msg->data; |
| 286 | memset(&ev->event_data, 0, sizeof(ev->event_data)); | ||
| 272 | get_seq(&msg->seq, &ev->cpu); | 287 | get_seq(&msg->seq, &ev->cpu); |
| 273 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ | 288 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ |
| 274 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); | 289 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); |
| @@ -281,6 +296,7 @@ void proc_exit_connector(struct task_struct *task) | |||
| 281 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); | 296 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); |
| 282 | msg->ack = 0; /* not used */ | 297 | msg->ack = 0; /* not used */ |
| 283 | msg->len = sizeof(*ev); | 298 | msg->len = sizeof(*ev); |
| 299 | msg->flags = 0; /* not used */ | ||
| 284 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); | 300 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); |
| 285 | } | 301 | } |
| 286 | 302 | ||
| @@ -304,6 +320,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) | |||
| 304 | 320 | ||
| 305 | msg = (struct cn_msg *)buffer; | 321 | msg = (struct cn_msg *)buffer; |
| 306 | ev = (struct proc_event *)msg->data; | 322 | ev = (struct proc_event *)msg->data; |
| 323 | memset(&ev->event_data, 0, sizeof(ev->event_data)); | ||
| 307 | msg->seq = rcvd_seq; | 324 | msg->seq = rcvd_seq; |
| 308 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ | 325 | ktime_get_ts(&ts); /* get high res monotonic timestamp */ |
| 309 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); | 326 | put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); |
| @@ -313,6 +330,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) | |||
| 313 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); | 330 | memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); |
| 314 | msg->ack = rcvd_ack + 1; | 331 | msg->ack = rcvd_ack + 1; |
| 315 | msg->len = sizeof(*ev); | 332 | msg->len = sizeof(*ev); |
| 333 | msg->flags = 0; /* not used */ | ||
| 316 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); | 334 | cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); |
| 317 | } | 335 | } |
| 318 | 336 | ||