Re: [PATCH] fix infoleak in fcntl

From: Richard Weinberger
Date: Sun May 08 2016 - 17:01:50 EST

Next message: Tomas Winkler: "[char-misc-next 2/2] mei: drop wr_msg from the mei_dev structure"
Previous message: Shrikrishna Khare: "Re: [PATCH net-next 5/7] Driver: Vmxnet3: Add support for get_coalesce, set_coalesce ethtool operations"
In reply to: Richard Weinberger: "Re: [PATCH] fix infoleak in fcntl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am 08.05.2016 um 17:40 schrieb Kangjie Lu:
>
>
> On Sun, May 8, 2016 at 8:58 AM, Richard Weinberger <richard.weinberger@xxxxxxxxx <mailto:richard.weinberger@xxxxxxxxx>> wrote:
>
> On Tue, May 3, 2016 at 10:34 PM, Kangjie Lu <kangjielu@xxxxxxxxx <mailto:kangjielu@xxxxxxxxx>> wrote:
> > The stack object âsiâ has a total size of 128 bytes; however, only
> > 16 bytes are initialized. The remaining uninitialized bytes are
> > sent to userland via send_signal.
>
> How did you find all these leaks?
> Since you sent more than one patch I guess you used some tool, which one?
>
>
> Yes. Since there are *so many* infoleak vulnerabilities in the kernel, we are writing a
> static checker to find them. We plan to release it once it is done, so people can use
> it to find more bugs in kernel or even other user space programs.

How does your tool work?
I'd guess it tries to find uninitialized structs passed into copy_to_user().

Thanks,
//richard

Next message: Tomas Winkler: "[char-misc-next 2/2] mei: drop wr_msg from the mei_dev structure"
Previous message: Shrikrishna Khare: "Re: [PATCH net-next 5/7] Driver: Vmxnet3: Add support for get_coalesce, set_coalesce ethtool operations"
In reply to: Richard Weinberger: "Re: [PATCH] fix infoleak in fcntl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]