lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 14 Nov 2017 19:19:12 +0000
From:   Jon Maloy <jon.maloy@...csson.com>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:     "David Miller (davem@...emloft.net)" <davem@...emloft.net>,
        "dsahern@...il.com" <dsahern@...il.com>
Subject: Broken netlink ABI

commit 28033ae4e0f ("net: netlink: Update attr validation to require exact length for some types") breaks the netlink ABI.

When I give the command:
~$ tipc node set addr 1.1.2

I get the following response:

error: Numerical result out of range
Unable to get TIPC nl family id (module loaded?)
error, message initialisation failed

The module is definitely loaded:

~$ lsmod 
tipc 172032 0 - Live 0xffffffffa0062000
ip6_udp_tunnel 16384 1 tipc, Live 0xffffffffa0034000
udp_tunnel 16384 1 tipc, Live 0xffffffffa0039000

Bisecting reveals that the culprit is the commit referred to above, or more exactly the lines:

     if (nla_attr_len[pt->type]) {
                if (attrlen != nla_attr_len[pt->type])
                        return -ERANGE;
                return 0;
        }

This test compares the following values:
attrlen == 4 , 
nla_attr_len[pt->type] == 2

The corresponding code in the tipc tool is:

static int get_family(void)
{
        int err;
        int nl_family;
        struct nlmsghdr *nlh;
        struct genlmsghdr *genl;
        char buf[MNL_SOCKET_BUFFER_SIZE];

        nlh = mnl_nlmsg_put_header(buf);
        nlh->nlmsg_type = GENL_ID_CTRL;
        nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;

        genl = mnl_nlmsg_put_extra_header(nlh, sizeof(struct genlmsghdr));
        genl->cmd = CTRL_CMD_GETFAMILY;
        genl->version = 1;

        mnl_attr_put_u32(nlh, CTRL_ATTR_FAMILY_ID, GENL_ID_CTRL);
        mnl_attr_put_strz(nlh, CTRL_ATTR_FAMILY_NAME, TIPC_GENL_V2_NAME);

        if ((err = msg_query(nlh, family_id_cb, &nl_family)))
                return err;

        return nl_family;
}

I didn't dig further into this, but you will notice that tipc, in contrast to most other iproute2 tools, uses libmnl to build messages. Maybe the reason can be found there?

BR
Jon Maloy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ