Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 18 Apr 2019 21:34:30 +0800
From: Fuqian Huang <huangfq.daxian@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel < 4.14.111 drivers/scsi/cxgbi/cxgb3i/cxgb3i.c kernel
 address dumps to user space

In drivers/scsi/cxgbi/cxgb3i/cxgb3i.c:576,
do_act_open_rpl will dump the address of csk to dmesg
which allows local user to read kernel address via dmesg.

static int do_act_open_rpl(struct t3cdev *tdev, struct sk_buff *skb, void *ctx)
{
    ...
    pr_info("csk 0x%p,%u,0x%lx,%u, status %u, %pI4:%u-%pI4:%u.\n",
        csk, csk->state, csk->flags, csk->atid, rpl->status,
        &csk->saddr.sin_addr.s_addr, ntohs(csk->saddr.sin_port),
        &csk->daddr.sin_addr.s_addr, ntohs(csk->daddr.sin_port));
    ...
}

In drivers/scsi/cxgbi/cxgb3i/cxgb3i.c:1064,
cxgb3i_ofld_init will dump the address of cdev to dmesg
which allows local user to read kernel address via dmesg.

static int cxgb3i_ofld_init(struct cxgbi_device *cdev)
{
    ...
    pr_info("cdev 0x%p, offload up, added.\n", cdev);
    ...
}

In drivers/scsi/cxgbi/cxgb3i/cxgb3i.c:1343,
cxgb3i_dev_open will dump the address of cdev to dmesg
which allows local user to read kernel address via dmesg.

static void cxgb3i_dev_open(struct t3cdev *t3dev)
{
    ...
    pr_info("cdev 0x%p, f 0x%x, t3dev 0x%p open, err %d.\n",
        cdev, cdev ? cdev->flags : 0, t3dev, err);
    return;
    ...
}

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.