When sending an Ethernet frame on an packet socket (AF_PACKET, SOCK_RAW), an additional 14 bytes of trailing data is sent on the interface. The extra 14 bytes are present regardless of the packet size. The extra data could be garbage/uninitialised kernel memory.
Expected result:
The raw Ethernet frame is sent on the interface.
Actual result:
The raw Ethernet frame plus an additional 14 bytes of unknown data is sent on the interface.
Steps to reproduce:
The attached test program inject.c can be used to reproduce the issue.
# In window 1. Send an EAP packet without any payload.
gcc inject.c -o inject
sudo ./inject lo
# Simultaneously in window 2. Tcpdump shows a payload of 14 bytes.
sudo tcpdump -i lo -enlx
07:45:45.005652 02:00:00:00:00:01 > 02:00:00:00:00:00, ethertype EAPOL (0x888e), length 28: EAP packet (0) v64, len 0
0x0000: 4000 0000 0000 0000 4000 0000 0000
Running strace on the "inject" program shows that send(2) is indeed called with the correct buffer size. The extra 14 bytes appear to be added by the kernel, and this might leak kernel memory.
Ubuntu release:
Ubuntu 18.04.1 LTS
Package version:
4.15.0-33.36
The issue could not be reproduced on linux-image-4.15.0-22-generic or linux-image-4.15.0-23-generic.
uname -a:
Linux ubuntu 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
---
ProblemType: Bug
ApportVersion: 2.20.9-0ubuntu7.3
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: johan 1763 F.... pulseaudio
CurrentDesktop: GNOME-Flashback:GNOME
DistroRelease: Ubuntu 18.04
HibernationDevice: RESUME=UUID=7d5f82e0-635f-4c53-a80d-11b0f47d27fd
InstallationDate: Installed on 2018-01-08 (245 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
IwConfig:
lxcbr0 no wireless extensions.
enp0s3 no wireless extensions.
lo no wireless extensions.
Lsusb:
Bus 001 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: innotek GmbH VirtualBox
Package: linux (not installed)
ProcFB: 0 vboxdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-33-generic root=UUID=54834e7a-dbec-4d9f-b662-6107cecc8a86 ro quiet splash
ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18
RelatedPackageVersions:
linux-restricted-modules-4.15.0-33-generic N/A
linux-backports-modules-4.15.0-33-generic N/A
linux-firmware 1.173.1
RfKill:
StagingDrivers: vboxvideo
Tags: bionic staging
Uname: Linux 4.15.0-33-generic x86_64
UpgradeStatus: Upgraded to bionic on 2018-06-27 (76 days ago)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo wireshark
_MarkForUpload: True
dmi.bios.date: 12/01/2006
dmi.bios.vendor: innotek GmbH
dmi.bios.version: VirtualBox
dmi.board.name: VirtualBox
dmi.board.vendor: Oracle Corporation
dmi.board.version: 1.2
dmi.chassis.type: 1
dmi.chassis.vendor: Oracle Corporation
dmi.modalias: dmi:bvninnotekGmbH:bvrVirtualBox:bd12/01/2006:svninnotekGmbH:pnVirtualBox:pvr1.2:rvnOracleCorporation:rnVirtualBox:rvr1.2:cvnOracleCorporation:ct1:cvr:
dmi.product.family: Virtual Machine
dmi.product.name: VirtualBox
dmi.product.version: 1.2
dmi.sys.vendor: innotek GmbH
This looks a lot like #1783110