lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070713200515.GS5549@austin.ibm.com>
Date:	Fri, 13 Jul 2007 15:05:15 -0500
From:	linas@...tin.ibm.com (Linas Vepstas)
To:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	linux-kernel@...r.kernel.org
Cc:	linuxppc-dev@...abs.org, netdev@...r.kernel.org
Subject: [PATCH] crash in 2.6.22-git2 sysctl_set_parent()


This is a patch (& bug report) for a crash in sysctl_set_parent() 
in 2.6.22-git2. 

Problem: 2.6.22-git2 crashes with a stack trace 
[c000000001d0fb00] c000000000067b4c .sysctl_set_parent+0x48/0x7c
[c000000001d0fb90] c000000000069b40 .register_sysctl_table+0x7c/0xf4
[c000000001d0fc30] c00000000065e710 .devinet_init+0x88/0xb0
[c000000001d0fcc0] c00000000065db74 .ip_rt_init+0x17c/0x32c
[c000000001d0fd70] c00000000065deec .ip_init+0x10/0x34
[c000000001d0fdf0] c00000000065e898 .inet_init+0x160/0x3dc
[c000000001d0fea0] c000000000630bc4 .kernel_init+0x204/0x3c8

A bit of poking around makes it clear what the problem is:
In sysctl_set_parent(), the for loop 

   for (; table->ctl_name || table->procname; table++) {

walks off the end of the table, and into garbage.  Basically,
this for-loop iterator expects all table arrays to be 
"null terminated".  However, net/ipv4/devinet.c statically 
declares an array that is not null-terminated.  The patch 
below fixes that; it works for me.  Its somewhat conservative;
if one wishes to assume that the compiler will always zero out
the empty parts of the structure, then this pach can be shrunk 
to one line: +	ctl_table		devinet_root_dir[3];

Signed-off-by: Linas Vepstas <linas@...tin.ibm.com>

----
I tried to audit some of the code to see where else there 
might be similar badly-formed static declarations.  This is hard,
as there's a lot of code. Most seems fine.


 net/core/neighbour.c |    4 ++++
 net/ipv4/devinet.c   |    7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

Index: linux-2.6.22-git2/net/ipv4/devinet.c
===================================================================
--- linux-2.6.22-git2.orig/net/ipv4/devinet.c	2007-07-13 14:23:21.000000000 -0500
+++ linux-2.6.22-git2/net/ipv4/devinet.c	2007-07-13 14:24:15.000000000 -0500
@@ -1424,7 +1424,7 @@ static struct devinet_sysctl_table {
 	ctl_table		devinet_dev[2];
 	ctl_table		devinet_conf_dir[2];
 	ctl_table		devinet_proto_dir[2];
-	ctl_table		devinet_root_dir[2];
+	ctl_table		devinet_root_dir[3];
 } devinet_sysctl = {
 	.devinet_vars = {
 		DEVINET_SYSCTL_COMPLEX_ENTRY(FORWARDING, "forwarding",
@@ -1493,8 +1493,13 @@ static struct devinet_sysctl_table {
 			.data		= &ipv4_devconf.loop,
 			.maxlen		= sizeof(int),
 			.mode		= 0644,
+			.child	= 0x0,
 			.proc_handler	= &proc_dointvec,
 		},
+		{
+			.ctl_name	= 0,
+			.procname	= 0,
+		},
 	},
 };
 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ