Re: [PATCH] can: bcm: fix infoleak in struct bcm_msg_head
From: Norbert Slusarek <hidden>
Date: 2021-06-13 13:36:00
Also in:
netdev
Hi,
1.
Are you sure this leak really happens on 64-bit and not on 32-bit instead?
I remember I got the problems with bcm msg head on the 32bit raspberry
pi because I missed the alignment by accident.
When I calculate the size of msg head on a Ryzen 1800X with Python
3.9.5, I get:
struct.calcsize("IIIllllII"),struct.calcsize("IIIllllII0q")
(56, 56)
First Value is raw, the second value is the alignment hack with the zero
length quad word "0q".
On the 32bit raspberry pi, same op results in the gap.
struct.calcsize("IIIllllII"),struct.calcsize("IIIllllII0q")
(36, 40)
Hey Patrick,
having reproduced this leak I could only observe the issue on 64-bit systems.
I've just tested it on a 32-bit OS running on a raspberry pi and I couldn't observe
any leak. The offset difference on 32-bit between count and ival1 is 4.
On 64-bit systems, it's 8:
(gdb) ptype struct bcm_msg_head
type = struct bcm_msg_head {
__u32 opcode;
__u32 flags;
__u32 count;
struct bcm_timeval ival1;
struct bcm_timeval ival2;
canid_t can_id;
__u32 nframes;
struct can_frame frames[0];
}
(gdb) p/x &((struct bcm_msg_head *)0x0)->count
$1 = 0x8
(gdb) p/x &((struct bcm_msg_head *)0x0)->ival1
$2 = 0x10
(gdb) p sizeof(((struct bcm_msg_head *)0x0)->count)
$3 = 4
2. Finding stucts with non-zero-ed gaps should be easy with a skript or even better with a GCC directive. I believe Syzbot does such a thing too. Kind Regards, Patrick Menschel
I didn't notice any syzbot report about this leak, nor did I find it with syzkaller. Norbert