[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Dec 2014 22:50:17 +0100
From: Florian Westphal <fw@...len.de>
To: Al Viro <viro@...IV.linux.org.uk>
Cc: David Miller <davem@...emloft.net>, kaber@...sh.net,
netdev@...r.kernel.org
Subject: Re: [WTF?] random test in netlink_sendmsg()
Al Viro <viro@...IV.linux.org.uk> wrote:
> On Fri, Dec 12, 2014 at 03:34:33PM -0500, David Miller wrote:
> > > What is that check trying to do? Is that simply missing
> > > "(msg->msg_iovlen > 0) &&"? And why on the Earth didn't it simply use
> > > zero msg_iovlen as the indicator, instead of messing with iovec contents?
> > > Obviously too late to change, but... ouch.
> >
> > I think it's simply trying to say: if nothing in the given iovec, use
> > the mmap() netlink area for the data.
> >
> > I cannot vouch for the correctness of this test.
> >
> > If we take the netlink_mmap_sendmsg() path, msg->msg_iov is not
> > accessed at all, so it cannot be a huge problem.
>
> Yes, but decision whether to take that path or not is random in case of
> msg_iovlen being 0...
>
> What do we want sendmsg(fd, &msg, 0) to do when fd is AF_NETLINK socket
> that had setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, ...) successfully done
> to it and msg.msg_iovlen is 0? Userland ABI question
IIRC userland, after filling txring with at least one new netlink
message, needs to call this to tell kernel to start processing the
messages in the tx ring.
> a security hole there" one... As it is, it might decide to do
> netlink_mmap_sendmsg() or it might decide to act as if we hadn't done
> NETLINK_TX_RING at all.
It should definitely be netlink_mmap_sendmsg() to commence messsage
processing.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists