Bug 4746 - SIOCGIFCONF data corruption in ia32 emulation
Summary: SIOCGIFCONF data corruption in ia32 emulation
Status: RESOLVED CODE_FIX
Alias: None
Product: Platform Specific/Hardware
Classification: Unclassified
Component: x86-64 (show other bugs)
Hardware: i386 Linux
: P2 high
Assignee: Andi Kleen
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-06-14 05:18 UTC by Alexandra Kossovsky
Modified: 2005-11-04 10:08 UTC (History)
0 users

See Also:
Kernel Version: 2.6.8, 2.6.11.9
Tree: Mainline
Regression: ---


Attachments
fix for a bug (848 bytes, patch)
2005-06-14 05:19 UTC, Alexandra Kossovsky
Details | Diff

Description Alexandra Kossovsky 2005-06-14 05:18:31 UTC
Distribution:
Hardware Environment: amd64 processor
Software Environment: ia32 userland
Problem Description:
There is user data corruption when using ioctl(SIOCGIFCONF) in 32-bit
application running amd64 kernel. I do not think that this problem is
exploitable, but any data corruption may lead to security problems.
Following code demonstrates the problem

#include <stdint.h>
#include <stdio.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/ioctl.h>

char buf[256];

main()
{
    int s = socket(AF_INET, SOCK_DGRAM, 0);
    struct ifconf req;
    int i;
    
    req.ifc_buf = buf;
    req.ifc_len = 41;
    
    printf("Result %d\n", ioctl(s, SIOCGIFCONF, &req));
    printf("Len %d\n", req.ifc_len);
    for (i = 41; i < 256; i++)
        if (buf[i] != 0)
            printf("Byte %d is corrupted\n", i);
}

Steps to reproduce:
Compile the code above into 32-bit elf and run it. You'll get
Result 0
Len 32
Byte 48 is corrupted
Byte 52 is corrupted
Byte 53 is corrupted
Byte 54 is corrupted
Byte 55 is corrupted
Comment 1 Alexandra Kossovsky 2005-06-14 05:19:53 UTC
Created attachment 5162 [details]
fix for a bug

Attached patch fixes the problem.
Comment 2 Andi Kleen 2005-11-04 10:08:35 UTC
Patch is queued, merged soon. Thanks.

Note You need to log in before you can comment on or make changes to this bug.