Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 18 Apr 2019 21:33:19 +0800
From: Fuqian Huang <huangfq.daxian@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel < 4.14.111 drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c
 kernel address dumps to user space

In drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:320
ppm_destory will dump the address of ppm into dmesg,
which allows local user to read the kernel address via dmesg.
static void ppm_destroy(struct kref *kref)
{
    ...
    pr_info("ippm: kref 0, destroy %s ppm 0x%p.\n",
        ppm->ndev->name, ppm);
    ...
}

In drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:396
and drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:458
and drivers/net/ethernet/chelsio/libcxgb/libcxgb_ppm.c:468,
cxgbi_ppm_init will dump the address of ppm into dmesg,
which allows local user to read the kernel address via dmesg.
int cxgbi_ppm_init(void **ppm_pp, struct net_device *ndev,
           struct pci_dev *pdev, void *lldev,
           struct cxgbi_tag_format *tformat,
           unsigned int ppmax,
           unsigned int llimit,
           unsigned int start,
           unsigned int reserve_factor)
{
    ...
    if (ppm) {
        pr_info("ippm: %s, ppm 0x%p,0x%p already initialized, %u/%u.\n",
            ndev->name, ppm_pp, ppm, ppm->ppmax, ppmax);
        kref_get(&ppm->refcnt);
        return 1;
    }
    ...
    if (*ppm_pp) {
        ...
        pr_info("ippm: %s, ppm 0x%p,0x%p already initialized, %u/%u.\n",
            ndev->name, ppm_pp, *ppm_pp, ppm->ppmax, ppmax);

        kref_get(&ppm->refcnt);
        return 1;
    }
    ...
    pr_info("ippm %s: ppm 0x%p, 0x%p, base %u/%u, pg %lu,%u, rsvd %u,%u.\n",
        ndev->name, ppm_pp, ppm, ppm->base_idx, ppm->ppmax, PAGE_SIZE,
        ppm->tformat.pgsz_idx_dflt, ppm->pool_rsvd,
        ppm->pool_index_max);
    ...
}

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.