unix_diag: Fix incoming connections nla length

Message ID	20111226.144245.1639855054069401229.davem@davemloft.net
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Date: Mon, 26 Dec 2011 14:42:45 -0500 (EST) Message-Id: <20111226.144245.1639855054069401229.davem@davemloft.net> To: eric.dumazet@gmail.com Cc: xemul@parallels.com, netdev@vger.kernel.org Subject: Re: [PATCH] unix_diag: Fix incoming connections nla length From: David Miller <davem@davemloft.net> In-Reply-To: <1324928172.2599.3.camel@edumazet-laptop> References: <4EF7804D.4050300@parallels.com> <1324928172.2599.3.camel@edumazet-laptop> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

20111226.144245.1639855054069401229.davem@davemloft.net

State

Accepted, archived

Delegated to:

David Miller

Headers

Date: Mon, 26 Dec 2011 14:42:45 -0500 (EST)
Message-Id: <20111226.144245.1639855054069401229.davem@davemloft.net>
To: eric.dumazet@gmail.com
Cc: xemul@parallels.com, netdev@vger.kernel.org
Subject: Re: [PATCH] unix_diag: Fix incoming connections nla length
From: David Miller <davem@davemloft.net>
In-Reply-To: <1324928172.2599.3.camel@edumazet-laptop>
References: <4EF7804D.4050300@parallels.com>
	<1324928172.2599.3.camel@edumazet-laptop>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

David Miller Dec. 26, 2011, 7:42 p.m. UTC

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Mon, 26 Dec 2011 20:36:12 +0100

> if (peer)
> 	buf[i++] = sock_i_ino(peer);
> 
> So we probably leak kernel memory content to user for the (!peer) case,
> since we did :
> 
> UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS,
> 		sk->sk_receive_queue.qlen * sizeof(u32));

I just commited the following fix for this, it probably takes less
effort to post a patch for this kind of bug than explain it don't
you think? :)

--------------------
unix: If we happen to find peer NULL when diag dumping, write zero.

Otherwise we leave uninitialized kernel memory in there.

Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/unix/diag.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/net/unix/diag.c b/net/unix/diag.c
index 39e44c9..c5bdbcb 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -86,8 +86,7 @@  static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb)
 			 */
 			unix_state_lock_nested(req);
 			peer = unix_sk(req)->peer;
-			if (peer)
-				buf[i++] = sock_i_ino(peer);
+			buf[i++] = (peer ? sock_i_ino(peer) : 0);
 			unix_state_unlock(req);
 		}
 		spin_unlock(&sk->sk_receive_queue.lock);

unix_diag: Fix incoming connections nla length

Commit Message

Patch