• Alexandra Kossovsky's avatar
    [COMPAT] net: SIOCGIFCONF data corruption · 4909724b
    Alexandra Kossovsky authored
    From: Alexandra Kossovsky <Alexandra.Kossovsky@oktetlabs.ru>
    
    From http://bugzilla.kernel.org/show_bug.cgi?id=4746
    
    There is user data corruption when using ioctl(SIOCGIFCONF) in 32-bit
    application running amd64 kernel. I do not think that this problem is
    exploitable, but any data corruption may lead to security problems.
    Following code demonstrates the problem
    
    #include <stdint.h>
    #include <stdio.h>
    #include <sys/time.h>
    #include <sys/socket.h>
    #include <net/if.h>
    #include <sys/ioctl.h>
    
    char buf[256];
    
    main()
    {
    	int s = socket(AF_INET, SOCK_DGRAM, 0);
    	struct ifconf req;
    	int i;
    
    	req.ifc_buf = buf;
    	req.ifc_len = 41;
    
    	printf("Result %d\n", ioctl(s, SIOCGIFCONF, &req));
    	printf("Len %d\n", req.ifc_len);
    	for (i = 41; i < 256; i++)
    		if (buf[i] != 0)
    			printf("Byte %d is corrupted\n", i);
    }
    	
    Steps to reproduce:
    Compile the code above into 32-bit elf and run it. You'll get
    Result 0
    Len 32
    Byte 48 is corrupted
    Byte 52 is corrupted
    Byte 53 is corrupted
    Byte 54 is corrupted
    Byte 55 is corrupted
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    4909724b
compat_ioctl.c 86.6 KB