| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Mar 2016 11:43:23 -0500
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Alan Cox <alan@...ux.intel.com>
Cc: David Miller <davem@...emloft.net>,
Heikki Hannikainen <hessu@....iki.fi>,
Network Development <netdev@...r.kernel.org>,
Willem de Bruijn <willemb@...gle.com>
Subject: Re: Sending short raw packets using sendmsg() broke
On Thu, Mar 3, 2016 at 11:40 AM, Willem de Bruijn
<willemdebruijn.kernel@...il.com> wrote:
> On Tue, Mar 1, 2016 at 7:00 PM, Alan Cox <alan@...ux.intel.com> wrote:
>>> More thorough validation of the header contents is not necessarily
>>> hard. The following validates the address, including optional
>>> repeaters.
>>>
>>> static bool ax25_validate_hard_header(const char *ll_header,
>>> unsigned short len)
>>> {
>>> ax25_digi digi;
>>>
>>> return !ax25_addr_parse(ll_header, len, NULL, NULL, &digi,
>>> NULL, NULL);
>>> }
>>
>> This also breaks because there is a KISS header byte on an AX.25
>> transmission and it is valid to send a KISS control frame via
>> SOCK_PACKET but it cannot be generated by other protocols.
>>
>> Basically everything hitting an AX.25 port is either a zero byte
>> followed by an AX.25 frame, or a KISS frame the first of which is non
>> zero and which is used to set parameters on the radio side.
>>
>> The AX.25 device level drivers are simply written to be robust if
>> thrown partial frames.
>
> That is preferable, but unfortunately does not seem to be true in general.
>
> A quick search for ethhdr in drivers/net/ethernet shows, for instance,
> bnx2x_select_queue casting skb->data to an ethernet header. Reading
> nonsense in that particular function is quite safe and given the
> skbuff layout (skb_shared_info) code will never read beyond an
> allocated region. But that was just the first occurrence I found.
> efx_tso_check_protocol is another example.
>
> The stack itself also has a few unconditional uses of
> dev->hard_header_len as lower bound on packet length.
> dump_ipv4_mac_header in net/ipv4/netfilter/nf_log_ipv4.c iterates
> over bytes and logs them to the system log. nla_put(inst->skb,
> FULA_HWHEADER, skb->dev->hard_header_len, hwhdrp) in
> net/netfilter/nfnetlink_log passes bytes up to userspace. With
> ebtables or tc + act_ipt, it might be possible to construct a path
> from a packet socket through one of these. I'm not sure. Regardless of
> the immediate fix, these should probably be made more robust against
> short packets.
>
>> The other thing that concerns me about this added logic in general is
>> that you are also breaking test tools that want to deliberately send
>> corrupt frames to certain classes of interface. I'm not sure how big an
>> issue that is given we always for example padded ethernet frames
>> properly, but the more validation we do for a privileged interface the
>> more we prevent applications for testing network behaviour from being
>> able to run on Linux.
>
> Good point. Given how a minimum header length check already causes so
> much problems, I hesitate to add more validation logic
> unconditionally.
>
>> Possibly there should be a CAP_SYS_RAWIO test but
>> making it impossible is a bad step.
>
> Okay. To avoid overloading this capability, perhaps a per-device
> sysctl analogous to net.ipv4.conf.$DEV.accept_local?
That per device space does not exist for net.core, so it would have to
be a global option (net.core.validate_ll_hdr)
>
> I'll start with the patch to replaces ll_header_truncate with a
> validate() + a separate minimal ax25 implementation.
>
>>
>> Alan
>>
>>
>>
>>
>>
>>
>>
Powered by blists - more mailing lists