lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 12 Dec 2014 22:50:17 +0100
From:	Florian Westphal <fw@...len.de>
To:	Al Viro <viro@...IV.linux.org.uk>
Cc:	David Miller <davem@...emloft.net>, kaber@...sh.net,
	netdev@...r.kernel.org
Subject: Re: [WTF?] random test in netlink_sendmsg()

Al Viro <viro@...IV.linux.org.uk> wrote:
> On Fri, Dec 12, 2014 at 03:34:33PM -0500, David Miller wrote:
> > > 	What is that check trying to do?  Is that simply missing
> > > "(msg->msg_iovlen > 0) &&"?  And why on the Earth didn't it simply use
> > > zero msg_iovlen as the indicator, instead of messing with iovec contents?
> > > Obviously too late to change, but... ouch.
> > 
> > I think it's simply trying to say: if nothing in the given iovec, use
> > the mmap() netlink area for the data.
> > 
> > I cannot vouch for the correctness of this test.
> > 
> > If we take the netlink_mmap_sendmsg() path, msg->msg_iov is not
> > accessed at all, so it cannot be a huge problem.
> 
> Yes, but decision whether to take that path or not is random in case of
> msg_iovlen being 0...
> 
> What do we want sendmsg(fd, &msg, 0) to do when fd is AF_NETLINK socket
> that had setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, ...) successfully done
> to it and msg.msg_iovlen is 0?  Userland ABI question

IIRC userland, after filling txring with at least one new netlink
message, needs to call this to tell kernel to start processing the
messages in the tx ring.

> a security hole there" one...  As it is, it might decide to do
> netlink_mmap_sendmsg() or it might decide to act as if we hadn't done
> NETLINK_TX_RING at all.

It should definitely be netlink_mmap_sendmsg() to commence messsage
processing.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ