[Kernel-packages] [Bug 1791893] Re: Trailing garbage data when sending on an AF_PACKET socket

Alex Murray Tue, 11 Sep 2018 04:20:47 -0700

This looks a lot like #1783110

** Information type changed from Private Security to Public


** Information type changed from Public to Private Security

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1791893

Title:
  Trailing garbage data when sending on an AF_PACKET socket

Status in linux package in Ubuntu:
  New

Bug description:
  When sending an Ethernet frame on an packet socket (AF_PACKET,
  SOCK_RAW), an additional 14 bytes of trailing data is sent on the
  interface. The extra 14 bytes are present regardless of the packet
  size. The extra data could be garbage/uninitialised kernel memory.

  Expected result:
  The raw Ethernet frame is sent on the interface.

  Actual result:
  The raw Ethernet frame plus an additional 14 bytes of unknown data is sent on 
the interface.

  Steps to reproduce:
  The attached test program inject.c can be used to reproduce the issue.

  # In window 1. Send an EAP packet without any payload.
  gcc inject.c -o inject
  sudo ./inject lo

  # Simultaneously in window 2. Tcpdump shows a payload of 14 bytes.
  sudo tcpdump -i lo -enlx
  07:45:45.005652 02:00:00:00:00:01 > 02:00:00:00:00:00, ethertype EAPOL 
(0x888e), length 28: EAP packet (0) v64, len 0
      0x0000:  4000 0000 0000 0000 4000 0000 0000

  Running strace on the "inject" program shows that send(2) is indeed
  called with the correct buffer size. The extra 14 bytes appear to be
  added by the kernel, and this might leak kernel memory.

  Ubuntu release:
  Ubuntu 18.04.1 LTS

  Package version:
  4.15.0-33.36
  The issue could not be reproduced on linux-image-4.15.0-22-generic or 
linux-image-4.15.0-23-generic.

  uname -a:
  Linux ubuntu 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 
x86_64 x86_64 x86_64 GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1791893/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1791893] Re: Trailing garbage data when sending on an AF_PACKET socket

Reply via email to