lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20071015124919.30ed8f06.akpm@linux-foundation.org>
Date:	Mon, 15 Oct 2007 12:49:19 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Anton Arapov <aarapov@...hat.com>
Cc:	linux-kernel@...r.kernel.org, linux-netdev@...r.kernel.org,
	davem@...hat.com, jgarzik@...hat.com
Subject: Re: [PATCH] ipv4: kernel panic when only one unsecured port
 available

On Tue, 09 Oct 2007 15:59:14 +0200
Anton Arapov <aarapov@...hat.com> wrote:

> Steps to reproduce:
> Server:
>   [root@...ver ~]# cat /etc/exports
>   /export *(ro,insecure)
> // there is insecure ... I am using ports like "1024 to 61000"
>   [root@...ver ~] service nfs restart 
> 
> Client:
>   1.[root@...ent ~]# echo 32768 32768 > /proc/sys/net/ipv4/ip_local_port_range
>   32768   32768
> // two same numbers, for ex "32769 32769" etc.
>   2.[root@...ent ~]# cat /proc/sys/net/ipv4/ip_local_port_range
>   32768   32768
>   3.[root@...ent ~]# mount server:/export /import
>   
> Actual results:
>   Kernel always panics 
> 
> --------------------------------------------------------------------
> [PATCH] ipv4: kernel panic when only one unsecured port available
> 
>   Patch prevents division by zero. Kernel panics if only one 
> unsecured port available.
> 
> Signed-off-by: Anton Arapov <aarapov@...hat.com>
> ---
> 
>  net/ipv4/inet_connection_sock.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
> index fbe7714..00ad079 100644
> --- a/net/ipv4/inet_connection_sock.c
> +++ b/net/ipv4/inet_connection_sock.c
> @@ -80,7 +80,7 @@ int inet_csk_get_port(struct inet_hashinfo *hashinfo,
>  		int low = sysctl_local_port_range[0];
>  		int high = sysctl_local_port_range[1];
>  		int remaining = (high - low) + 1;
> -		int rover = net_random() % (high - low) + low;
> +		int rover = net_random() % remaining + low;
>  
>  		do {
>  			head = &hashinfo->bhash[inet_bhashfn(rover, hashinfo->bhash_size)];
> 

This code has recently been reworked, but from my reading, that
divide-by-zero can still occur.  And given that the numbers in
/proc/sys/net/ipv4/ip_local_port_range are inclusive, the arithmetic in
inet_csk_get_port() seems to just be wrong?

So we have this, against David's current devel tree:

--- a/net/ipv4/inet_connection_sock.c~ipv4-kernel-panic-when-only-one-unsecured-port-available
+++ a/net/ipv4/inet_connection_sock.c
@@ -93,7 +93,7 @@ int inet_csk_get_port(struct inet_hashin
 		int remaining, rover, low, high;
 
 		inet_get_local_port_range(&low, &high);
-		remaining = high - low;
+		remaining = high - low + 1;
 		rover = net_random() % remaining + low;
 
 		do {
_


btw, mime-mangled gpg-fancified emails are rather a pain to handle at the
receivnig end.  Good old text/plain works better, please.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ