Bug 4746
| Summary: | SIOCGIFCONF data corruption in ia32 emulation | ||
|---|---|---|---|
| Product: | Platform Specific/Hardware | Reporter: | Alexandra Kossovsky (Alexandra.Kossovsky) |
| Component: | x86-64 | Assignee: | Andi Kleen (andi-bz) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | high | ||
| Priority: | P2 | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Kernel Version: | 2.6.8, 2.6.11.9 | Subsystem: | |
| Regression: | --- | Bisected commit-id: | |
| Attachments: | fix for a bug | ||
Created attachment 5162 [details]
fix for a bug
Attached patch fixes the problem.
Patch is queued, merged soon. Thanks. |
Distribution: Hardware Environment: amd64 processor Software Environment: ia32 userland Problem Description: There is user data corruption when using ioctl(SIOCGIFCONF) in 32-bit application running amd64 kernel. I do not think that this problem is exploitable, but any data corruption may lead to security problems. Following code demonstrates the problem #include <stdint.h> #include <stdio.h> #include <sys/time.h> #include <sys/socket.h> #include <net/if.h> #include <sys/ioctl.h> char buf[256]; main() { int s = socket(AF_INET, SOCK_DGRAM, 0); struct ifconf req; int i; req.ifc_buf = buf; req.ifc_len = 41; printf("Result %d\n", ioctl(s, SIOCGIFCONF, &req)); printf("Len %d\n", req.ifc_len); for (i = 41; i < 256; i++) if (buf[i] != 0) printf("Byte %d is corrupted\n", i); } Steps to reproduce: Compile the code above into 32-bit elf and run it. You'll get Result 0 Len 32 Byte 48 is corrupted Byte 52 is corrupted Byte 53 is corrupted Byte 54 is corrupted Byte 55 is corrupted