[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 18 Apr 2019 21:34:30 +0800
From: Fuqian Huang <huangfq.daxian@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel < 4.14.111 drivers/scsi/cxgbi/cxgb3i/cxgb3i.c kernel
address dumps to user space
In drivers/scsi/cxgbi/cxgb3i/cxgb3i.c:576,
do_act_open_rpl will dump the address of csk to dmesg
which allows local user to read kernel address via dmesg.
static int do_act_open_rpl(struct t3cdev *tdev, struct sk_buff *skb, void *ctx)
{
...
pr_info("csk 0x%p,%u,0x%lx,%u, status %u, %pI4:%u-%pI4:%u.\n",
csk, csk->state, csk->flags, csk->atid, rpl->status,
&csk->saddr.sin_addr.s_addr, ntohs(csk->saddr.sin_port),
&csk->daddr.sin_addr.s_addr, ntohs(csk->daddr.sin_port));
...
}
In drivers/scsi/cxgbi/cxgb3i/cxgb3i.c:1064,
cxgb3i_ofld_init will dump the address of cdev to dmesg
which allows local user to read kernel address via dmesg.
static int cxgb3i_ofld_init(struct cxgbi_device *cdev)
{
...
pr_info("cdev 0x%p, offload up, added.\n", cdev);
...
}
In drivers/scsi/cxgbi/cxgb3i/cxgb3i.c:1343,
cxgb3i_dev_open will dump the address of cdev to dmesg
which allows local user to read kernel address via dmesg.
static void cxgb3i_dev_open(struct t3cdev *t3dev)
{
...
pr_info("cdev 0x%p, f 0x%x, t3dev 0x%p open, err %d.\n",
cdev, cdev ? cdev->flags : 0, t3dev, err);
return;
...
}
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
