lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 26 Jun 2013 15:15:34 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	hannes@...essinduktion.org
Cc:	eric.dumazet@...il.com, davej@...hat.com, netdev@...r.kernel.org,
	steffen.klassert@...unet.com
Subject: Re: oops in udpv6_sendmsg

From: Hannes Frederic Sowa <hannes@...essinduktion.org>
Date: Wed, 26 Jun 2013 15:07:48 +0200

> On Wed, Jun 26, 2013 at 04:15:07AM -0700, Eric Dumazet wrote:
>> Following patch fixes the problem for me :
> 
> Cool, thanks Eric!
> 
>> [PATCH] ipv6: ip6_sk_dst_check() must not assume ipv6 dst
>> 
>> It's possible to use AF_INET6 sockets and to connect to an IPv4
>> destination. After this, socket dst cache is a pointer to a rtable,
>> not rt6_info.
> 
> That was my hunch, too. I was unsure where we should destroy the lingering dst.
> 
>> ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
>> various corruptions/crashes can happen.
>> 
>> Dave Jones can reproduce immediate crash with 
>> trinity -q -l off -n -c sendmsg -c connect
>> 
>> With help from Hannes Frederic Sowa
>> 
>> Reported-by: Dave Jones <davej@...hat.com>
>> Reported-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
>> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> 
> Patch looks good. It also fixes some panics I have seen down lower in
> the netfilter ipv6 code I saw while testing, which I thought may be a
> different issue.
> 
> Acked-by: Hannes Frederic Sowa <hannes@...essinduktion.org>

Ok, so the issue can only happen if we switch between using an
ipv4 and an ipv6 binding on an ipv6 socket.  Usually if the sockaddr
specified for udp6_sendmsg() is ipv4, we'd go straight to udp_sendmsg().
But if it's ipv4 bound initially, then we get a udp6_sendmsg() with
an ipv6 address, we hit this problem.

Applied and queued up for -stable, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ