'[oss-security] Linux kernel < 4.14.111 drivers/scsi/cxgbi/cxgb4i/cxgb4i.c kernel address dumps to us'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux kernel < 4.14.111 drivers/scsi/cxgbi/cxgb4i/cxgb4i.c kernel address dumps to us
From:       Fuqian Huang <huangfq.daxian () gmail ! com>
Date:       2019-04-18 13:35:40
Message-ID: CABXRUiT_PGoMJTkeEUeUguZWC0sZQoBPe+URKY9p7KuRsT2sXA () mail ! gmail ! com
[Download RAW message or body]

In drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:299,
send_act_open_req will dump the address of csk to dmesg
which allows local user to read kernel address via dmesg.

static void send_act_open_req(struct cxgbi_sock *csk, struct sk_buff *skb,
                struct l2t_entry *e)
{
    ...
    pr_info_ipaddr("t%d csk 0x%p,%u,0x%lx,%u, rss_qid %u.\n",
               (&csk->saddr), (&csk->daddr),
               CHELSIO_CHIP_VERSION(lldi->adapter_type), csk,
               csk->state, csk->flags, csk->atid, csk->rss_qid);
    ...
}


In drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:1792,
cxgb4i_ofld_init will dump the address of cdev to dmesg
which allows local user to read kernel address via dmesg.

static int cxgb4i_ofld_init(struct cxgbi_device *cdev)
{
    ...
    pr_info("cdev 0x%p, offload up, added.\n", cdev);
    ...
}

In drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2047,
t4_uld_add will dump the address of cdev to dmesg
which allows local user to read kernel address via dmesg.

static void *t4_uld_add(const struct cxgb4_lld_info *lldi)
{
    ...
    pr_info("cdev 0x%p,%s, pfvf %u.\n",
        cdev, lldi->ports[0]->name, cdev->pfvf);
    ...
}

In drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2129
and drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2132
and drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2136
and drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2139
and drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2143,
t4_uld_state_change will dump the address of cdev to dmesg
which allows local user to read kernel address via dmesg.

static int t4_uld_state_change(void *handle, enum cxgb4_state state)
{
    struct cxgbi_device *cdev = handle;

    switch (state) {
    case CXGB4_STATE_UP:
        pr_info("cdev 0x%p, UP.\n", cdev);
        break;
    case CXGB4_STATE_START_RECOVERY:
        pr_info("cdev 0x%p, RECOVERY.\n", cdev);
        /* close all connections */
        break;
    case CXGB4_STATE_DOWN:
        pr_info("cdev 0x%p, DOWN.\n", cdev);
        break;
    case CXGB4_STATE_DETACH:
        pr_info("cdev 0x%p, DETACH.\n", cdev);
        cxgbi_device_unregister(cdev);
        break;
    default:
        pr_info("cdev 0x%p, unknown state %d.\n", cdev, state);
        break;
    }
    return 0;
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic