lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070410131724.GA18553@elte.hu>
Date:	Tue, 10 Apr 2007 15:17:24 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	John <linux.kernel@...e.fr>
Cc:	linux-kernel@...r.kernel.org, tglx@...esys.com
Subject: Re: 2.6.20-rt8 patch tweaked for 2.6.20.5


* John <linux.kernel@...e.fr> wrote:

> I'd be happy to generate a clean patch!
> (Would you agree to host it in your directory?)
> http://people.redhat.com/mingo/realtime-preempt/older/

sure, i can put it there.

> 3. linux/kernel/futex.c
> [ I'm not sure I've made the appropriate changes here ]
> 
> Basically, we want to replace
>   spin_lock(&pi_state->pi_mutex.wait_lock);
> with
>   spin_lock_irqsave(&pi_state->pi_mutex.wait_lock, flags);
> 
> and we want to replace
>   spin_unlock(&pi_state->pi_mutex.wait_lock);
> with
>   spin_unlock_irqrestore(&pi_state->pi_mutex.wait_lock, flags);
> 
> Is that correct?

yes.

> 4. linux/kernel/time/clocksource.c
> Provide an #include directive added by patch-2.6.20.2
> Remove the first line to keep patch happy.
> 
> --- a/kernel/time/clocksource.c
> +++ b/kernel/time/clocksource.c
> @@ -28,6 +28,7 @@
>  #include <linux/sysdev.h>
>  #include <linux/init.h>
>  #include <linux/module.h>
> +#include <linux/sched.h> /* for spin_unlock_irq() using preempt_count() 
> m68k */
> 
>  /* XXX - Would like a better way for initializing curr_clocksource */
>  extern struct clocksource clocksource_jiffies;
> 
> 
> 5. linux/net/xfrm/xfrm_user.c
> [ I'm not sure I've made the appropriate changes here ]
> 
> Remove a patch that was already applied to 2.6.20.2
> cf. patch-2.6.20.2
> 
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buff *skb, 
> struct nlmsghdr *nlh,
>  		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, 
>  		tmp.security, delete);
>  		security_xfrm_policy_free(&tmp);
>  	}
> -	if (delete)
> -		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> -			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, 
> NULL);
> -
>  	if (xp == NULL)
>  		return -ENOENT;
> 
> @@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buff *skb, 
> struct nlmsghdr *nlh,
>  					      MSG_DONTWAIT);
>  		}
>  	} else {
> -		if ((err = security_xfrm_policy_delete(xp)) != 0)
> +		err = security_xfrm_policy_delete(xp);
> +
> +		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
> +			       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, 
> NULL);
> +
> +		if (err != 0)
>  			goto out;
> +
>  		c.data.byid = p->index;
>  		c.event = nlh->nlmsg_type;
>  		c.seq = nlh->nlmsg_seq;
> 
> 
> As a side note, I find the expression
>   err ? 0 : 1
> suspect. Why not write !err ?

it was in the original code and i didnt want to change that. I've 
attached the original patch below - the bug is probably fixed upstream 
meawhile (in a different way) so no need to do any change there.

	Ingo

--------------->
Subject: [patch] net/xfrm: fix audit logging
From: Ingo Molnar <mingo@...e.hu>

i got the following crash when restarting a (timed out) ipsec session
on 2.6.20-rc1:

BUG: unable to handle kernel NULL pointer dereference at virtual address 000000a2
 printing eip:
c0320f67
*pde = 00000000
stopped custom tracer.
Oops: 0000 [#1]
PREEMPT SMP 
Modules linked in: xfrm4_mode_tunnel deflate zlib_deflate twofish twofish_common serpent blowfish cbc ecb xcbc sha256 crypto_null aes des blkcipher xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key radeon drm hidp l2cap bluetooth sunrpc ipv6 n_hdlc ppp_synctty ppp_async crc_ccitt ppp_generic slhc nf_conntrack_netbios_ns ipt_REJECT nf_conntrack_ipv4 xt_state xt_tcpudp iptable_filter ip_tables x_tables dm_mirror dm_multipath dm_mod raid1 video sbs i2c_ec button battery asus_acpi ac parport_pc lp parport floppy snd_via82xx_modem snd_seq_dummy snd_via82xx snd_ac97_codec snd_seq_oss snd_seq_midi_event ac97_bus bt878 tuner snd_seq bttv video_buf ir_common snd_pcm_oss snd_mixer_oss videodev v4l1_compat v4l2_common i2c_algo_bit snd_pcm btcx_risc tveeprom compat_ioctl32 pcspkr e100 skge mii i2c_viapro snd_timer gameport snd_mpu401_uart snd_rawmidi snd_seq_device snd_page_alloc snd i2c_core soundcore k8temp hwmon ide_cd serio_raw cdrom sata_via pata_via ata_generic libata sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
CPU:    0
EIP:    0060:[<c0320f67>]    Not tainted VLI
EFLAGS: 00010246   (2.6.20-rc1.1.rt4.0006 #1)
EIP is at xfrm_audit_log+0x116/0x423
eax: 00000000   ebx: 00000586   ecx: 00000000   edx: c03dfc79
esi: 000001f4   edi: 00000000   ebp: f5229a48   esp: f522999c
ds: 007b   es: 007b   ss: 0068   preempt: 00000001
Process pluto (pid: 12885, ti=f5229000 task=f7c06af0 task.ti=f5229000)
Stack: f7c5be00 c03f6e49 000001f4 f3860a80 00000000 f52299bc c02ca13f 00000000 
       f52299dc c02ca247 00000006 f52299e4 c01254ba 00000001 e86fd000 00000000 
       f52299e4 c02ca27d f7c5be00 f8d928b9 f5229a10 c0155d14 f3860a80 fffffffd 
Call Trace:
 [<c0329c69>] xfrm_get_policy+0x108/0x24f
 [<c03274a9>] xfrm_user_rcv_msg+0x132/0x155
 [<c02e3f23>] netlink_run_queue+0x61/0xcd
 [<c0326eeb>] xfrm_netlink_rcv+0x27/0x3b
 [<c02e3fa2>] netlink_data_ready+0x13/0x54
 [<c02e1fcf>] netlink_sendskb+0x1f/0x37
 [<c02e3a55>] netlink_unicast+0x1aa/0x1b2
 [<c02e3cce>] netlink_sendmsg+0x271/0x27d
 [<c02c47b8>] sock_aio_write+0x104/0x110
 [<c017d703>] do_sync_write+0xb2/0xef
 [<c017dd46>] vfs_write+0xc5/0x165
 [<c017e51a>] sys_write+0x3d/0x61
 [<c0103ffd>] syscall_call+0x7/0xb
 [<457d78b2>] 0x457d78b2
 =======================
---------------------------
| preempt count: 00000001 ]
| 1-level deep critical section nesting:
----------------------------------------
.. [<c0334075>] .... __spin_lock_irqsave+0x25/0x5e
.....[<c01057db>] ..   ( <= die+0x42/0x201)

skipping trace printing on CPU#0 != -1
Code: 24 e8 3e 5b e3 ff eb 08 8b 45 9c e8 43 9f e3 ff 83 7d 0c 00 74 12 8b 4d 0c 0f b7 99 9c 00 00 00 8b 91 18 01 00 00 eb 10 8b 45 10 <0f> b7 98 a2 00 00 00 8b 90 d8 01 00 00 85 d2 74 29 8d 42 08 89 
EIP: [<c0320f67>] xfrm_audit_log+0x116/0x423 SS:ESP 0068:f522999c

the reason for the crash is that we pass both 'xp' and 'x' as NULL into
xfrm_audit_log(), which thus has no other option but to crash.

The fix i think is to check for the presence of xp sooner and
return with -ENOENT, and to pass in the 'delete' flag as the result
to the audit subsystem, not the 'xp != NULL' boolen value.

Hopefully i got this right :-)

Signed-off-by: Ingo Molnar <mingo@...e.hu>
---
 net/xfrm/xfrm_user.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

Index: linux/net/xfrm/xfrm_user.c
===================================================================
--- linux.orig/net/xfrm/xfrm_user.c
+++ linux/net/xfrm/xfrm_user.c
@@ -1273,13 +1273,12 @@ static int xfrm_get_policy(struct sk_buf
 		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
 		security_xfrm_policy_free(&tmp);
 	}
-	if (delete)
-		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-			       AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
 	if (xp == NULL)
 		return -ENOENT;
 
+	xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+		       AUDIT_MAC_IPSEC_DELSPD, delete, xp, NULL);
+
 	if (!delete) {
 		struct sk_buff *resp_skb;
 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ