| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Mar 2016 11:40:14 -0500
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Alan Cox <alan@...ux.intel.com>
Cc: David Miller <davem@...emloft.net>,
Heikki Hannikainen <hessu@....iki.fi>,
Network Development <netdev@...r.kernel.org>,
Willem de Bruijn <willemb@...gle.com>
Subject: Re: Sending short raw packets using sendmsg() broke
On Tue, Mar 1, 2016 at 7:00 PM, Alan Cox <alan@...ux.intel.com> wrote:
>> More thorough validation of the header contents is not necessarily
>> hard. The following validates the address, including optional
>> repeaters.
>>
>> static bool ax25_validate_hard_header(const char *ll_header,
>> unsigned short len)
>> {
>> ax25_digi digi;
>>
>> return !ax25_addr_parse(ll_header, len, NULL, NULL, &digi,
>> NULL, NULL);
>> }
>
> This also breaks because there is a KISS header byte on an AX.25
> transmission and it is valid to send a KISS control frame via
> SOCK_PACKET but it cannot be generated by other protocols.
>
> Basically everything hitting an AX.25 port is either a zero byte
> followed by an AX.25 frame, or a KISS frame the first of which is non
> zero and which is used to set parameters on the radio side.
>
> The AX.25 device level drivers are simply written to be robust if
> thrown partial frames.
That is preferable, but unfortunately does not seem to be true in general.
A quick search for ethhdr in drivers/net/ethernet shows, for instance,
bnx2x_select_queue casting skb->data to an ethernet header. Reading
nonsense in that particular function is quite safe and given the
skbuff layout (skb_shared_info) code will never read beyond an
allocated region. But that was just the first occurrence I found.
efx_tso_check_protocol is another example.
The stack itself also has a few unconditional uses of
dev->hard_header_len as lower bound on packet length.
dump_ipv4_mac_header in net/ipv4/netfilter/nf_log_ipv4.c iterates
over bytes and logs them to the system log. nla_put(inst->skb,
FULA_HWHEADER, skb->dev->hard_header_len, hwhdrp) in
net/netfilter/nfnetlink_log passes bytes up to userspace. With
ebtables or tc + act_ipt, it might be possible to construct a path
from a packet socket through one of these. I'm not sure. Regardless of
the immediate fix, these should probably be made more robust against
short packets.
> The other thing that concerns me about this added logic in general is
> that you are also breaking test tools that want to deliberately send
> corrupt frames to certain classes of interface. I'm not sure how big an
> issue that is given we always for example padded ethernet frames
> properly, but the more validation we do for a privileged interface the
> more we prevent applications for testing network behaviour from being
> able to run on Linux.
Good point. Given how a minimum header length check already causes so
much problems, I hesitate to add more validation logic
unconditionally.
> Possibly there should be a CAP_SYS_RAWIO test but
> making it impossible is a bad step.
Okay. To avoid overloading this capability, perhaps a per-device
sysctl analogous to net.ipv4.conf.$DEV.accept_local?
I'll start with the patch to replaces ll_header_truncate with a
validate() + a separate minimal ax25 implementation.
>
> Alan
>
>
>
>
>
>
>
Powered by blists - more mailing lists