lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 26 Jun 2013 04:15:07 -0700
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Hannes Frederic Sowa <hannes@...essinduktion.org>
Cc:	Dave Jones <davej@...hat.com>, David Miller <davem@...emloft.net>,
	netdev@...r.kernel.org,
	Steffen Klassert <steffen.klassert@...unet.com>
Subject: Re: oops in udpv6_sendmsg

From: Eric Dumazet <edumazet@...gle.com>

On Wed, 2013-06-26 at 02:29 -0700, Eric Dumazet wrote:
> On Wed, 2013-06-26 at 02:22 -0700, Eric Dumazet wrote:
> > ip6_rt_put
> > 
> > Oh well...
> > 
> > It sounds we mix ipv4/ipv6 dst on an IPV6 socket.
> > 
> > So an IPV4 actor thinks he got a "struct rtable" pointer and messes
> > critical fields which overlay struct rt6_info components, for example
> > rt6i_node
> > 
> > rt6_inode  shares the same storage with : 
> > 
> > rt_type/rt_is_input/rt_uses_gateway/rt_iif
> > 
> > In my case, rt_iif is 0
> > 
> > CC Steffen Klassert, because of commit
> > 8141ed9fcedb278f4a3a78680591bef1e55f75fb
> > ("ipv4: Add a socket release callback for datagram sockets")
> 
> ip6_sk_dst_lookup_flow()/ip6_sk_dst_check() look buggy, they assume the
> socket dst is an IPv6 one.
> 
> But its not true if ip4_datagram_connect() was called before.

Following patch fixes the problem for me :

[PATCH] ipv6: ip6_sk_dst_check() must not assume ipv6 dst

It's possible to use AF_INET6 sockets and to connect to an IPv4
destination. After this, socket dst cache is a pointer to a rtable,
not rt6_info.

ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
various corruptions/crashes can happen.

Dave Jones can reproduce immediate crash with 
trinity -q -l off -n -c sendmsg -c connect

With help from Hannes Frederic Sowa

Reported-by: Dave Jones <davej@...hat.com>
Reported-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
Signed-off-by: Eric Dumazet <edumazet@...gle.com>
---
 net/ipv6/ip6_output.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 95703ba..d5d20cd 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -821,11 +821,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
 					  const struct flowi6 *fl6)
 {
 	struct ipv6_pinfo *np = inet6_sk(sk);
-	struct rt6_info *rt = (struct rt6_info *)dst;
+	struct rt6_info *rt;
 
 	if (!dst)
 		goto out;
 
+	if (dst->ops->family != AF_INET6) {
+		dst_release(dst);
+		return NULL;
+	}
+
+	rt = (struct rt6_info *)dst;
 	/* Yes, checking route validity in not connected
 	 * case is not very simple. Take into account,
 	 * that we do not support routing by source, TOS,


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ