Patchwork CAN: Use inode instead of kernel address for /proc file

login
register
mail settings
Submitter Dan Rosenberg
Date Dec. 25, 2010, 10:16 p.m.
Message ID <1293315371.9764.44.camel@Dan>
Download mbox | patch
Permalink /patch/76703/
State Changes Requested
Delegated to: David Miller
Headers show

Comments

Dan Rosenberg - Dec. 25, 2010, 10:16 p.m.
Since the socket address is just being used as a unique identifier, its
inode number is an alternative that does not leak potentially sensitive
information.

CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
---
 net/can/bcm.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Oliver Hartkopp - Dec. 25, 2010, 10:22 p.m.
On 25.12.2010 23:16, Dan Rosenberg wrote:
> Since the socket address is just being used as a unique identifier, its
> inode number is an alternative that does not leak potentially sensitive
> information.
> 
> CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable <stable@kernel.org>

Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>

Thanks Dan.

> ---
>  net/can/bcm.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 6faa825..5748901 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -1520,8 +1520,8 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
>  	bo->bound = 1;
>  
>  	if (proc_dir) {
> -		/* unique socket address as filename */
> -		sprintf(bo->procname, "%p", sock);
> +		/* socket inode as filename */
> +		sprintf(bo->procname, "%lx", sock_i_ino(sk));
>  		bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
>  						     proc_dir,
>  						     &bcm_proc_fops, sk);
> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Oliver Hartkopp - Dec. 25, 2010, 10:31 p.m.
On 25.12.2010 23:22, Oliver Hartkopp wrote:
> On 25.12.2010 23:16, Dan Rosenberg wrote:
>> Since the socket address is just being used as a unique identifier, its
>> inode number is an alternative that does not leak potentially sensitive
>> information.
>>
>> CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
>>
>> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
>> Cc: stable <stable@kernel.org>
> 
> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
> 
> Thanks Dan.
> 
>> ---
>>  net/can/bcm.c |    4 ++--
>>  1 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/can/bcm.c b/net/can/bcm.c
>> index 6faa825..5748901 100644
>> --- a/net/can/bcm.c
>> +++ b/net/can/bcm.c
>> @@ -1520,8 +1520,8 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
>>  	bo->bound = 1;
>>  
>>  	if (proc_dir) {
>> -		/* unique socket address as filename */
>> -		sprintf(bo->procname, "%p", sock);
>> +		/* socket inode as filename */
>> +		sprintf(bo->procname, "%lx", sock_i_ino(sk));

One minor question:

AFAIK the inode numbers that can be found in /proc/<pid>/fd/* are in decimal
and not in hex, right?

If so, you should use '%lu' instead of '%lx' in the patch.

Regards,
Oliver
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dan Rosenberg - Dec. 25, 2010, 10:41 p.m.
> 
> One minor question:
> 
> AFAIK the inode numbers that can be found in /proc/<pid>/fd/* are in decimal
> and not in hex, right?
> 
> If so, you should use '%lu' instead of '%lx' in the patch.

Yes, that's usually how they're expressed, but I did it this way for two
reasons.  Firstly, %lu would require another change to the buffer size,
since the output could be up to 20 bytes long (plus another for the NULL
terminator).  Secondly, by expressing it as hex it avoids breaking any
userland utilities that are expecting addresses, even if no such
utilities exist.

-Dan

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Oliver Hartkopp - Dec. 26, 2010, 11:29 a.m.
On 25.12.2010 23:41, Dan Rosenberg wrote:
> 
>>
>> One minor question:
>>
>> AFAIK the inode numbers that can be found in /proc/<pid>/fd/* are in decimal
>> and not in hex, right?
>>
>> If so, you should use '%lu' instead of '%lx' in the patch.
> 
> Yes, that's usually how they're expressed, but I did it this way for two
> reasons.  Firstly, %lu would require another change to the buffer size,
> since the output could be up to 20 bytes long (plus another for the NULL
> terminator).

This is not *really* a good reason as the buffer size can be changed easily
within the same patch, right? ;-)

> Secondly, by expressing it as hex it avoids breaking any
> userland utilities that are expecting addresses, even if no such
> utilities exist.

I'm very sure there are no userland utilities. And if there were any, they
only would use the filename as unique identifiers and can't do anything with
the (kernel)addresses - as you already stated in the patch description. E.g.
thinking of some shell script the content of the filename is pretty useless
unless it is unique.

The recent patch for the 64 bit compatibility broke the length of the filename
anyway, so IMO there's no real reason left to write the inode number as a hex
value for the unique filename.

Indeed having it a decimal number would bring some added value as you can
reference the filename to the numbers in /proc/<pid>/fd/* easily.

Convinced? 8-)

Regards,
Oliver
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dan Rosenberg - Dec. 26, 2010, 4:38 p.m.
On Sun, 2010-12-26 at 12:29 +0100, Oliver Hartkopp wrote:

> Convinced? 8-)
> 

Absolutely.  I didn't mean to come across as argumentative, I was just
trying to anticipate potential objections.  I'll resend shortly.

Thanks,
Dan

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/can/bcm.c b/net/can/bcm.c
index 6faa825..5748901 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1520,8 +1520,8 @@  static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
 	bo->bound = 1;
 
 	if (proc_dir) {
-		/* unique socket address as filename */
-		sprintf(bo->procname, "%p", sock);
+		/* socket inode as filename */
+		sprintf(bo->procname, "%lx", sock_i_ino(sk));
 		bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
 						     proc_dir,
 						     &bcm_proc_fops, sk);