[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20131114.020355.1973894145326845195.davem@davemloft.net>
Date: Thu, 14 Nov 2013 02:03:55 -0500 (EST)
From: David Miller <davem@...emloft.net>
To: johunt@...mai.com
Cc: netdev@...r.kernel.org, venkat.x.venkatsubra@...cle.com,
linux-kernel@...r.kernel.org, jjolly@...e.com, fenlason@...hat.com,
honli@...hat.com
Subject: Re: [PATCH] rds: fix local ping DoS
From: Josh Hunt <johunt@...mai.com>
Date: Wed, 13 Nov 2013 17:15:43 -0800
> The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets
> (RDS) protocol implementation allows local users to cause a denial of service
> (BUG_ON and kernel panic) by establishing an RDS connection with the source
> IP address equal to the IPoIB interface's own IP address, as demonstrated by
> rds-ping.
>
> A local unprivileged user could use this flaw to crash the system.
>
> CVE-2012-2372
>
> Reported-by: Honggang Li <honli@...hat.com>
> Signed-off-by: Josh Hunt <johunt@...mai.com>
I'm sorry I can't apply this. This commit message needs to be much
less terse and explain things more.
First of all, why is the "off % RDS_FRAG_SIZE" important?
And, even more importantly, why is is OK to avoid this assertion just
because we're going over loopback?
Furthermore, why doesn't net/rds/iw_send.c:rds_iw_xmit() have the same
exact problem? It makes the same exact assertion check.
I know this RDS code is a steaming pile of poo, but that doesn't mean
we just randomly adjust assertions to make crashes go away without
sufficient understanding of exactly what's going on.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists