lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 1 Mar 2007 15:30:25 -0800
From:	Stephen Hemminger <shemminger@...ux-foundation.org>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	netdev@...r.kernel.org,
	"bugme-daemon@...nel-bugs.osdl.org" 
	<bugme-daemon@...zilla.kernel.org>, loveminix@...oo.com.cn,
	khc@...waw.pl
Subject: Re: [Bugme-new] [Bug 8107] New: dev->header_cache_update has a
 random value

On Thu, 1 Mar 2007 14:54:23 -0800
Andrew Morton <akpm@...ux-foundation.org> wrote:

> On Thu, 1 Mar 2007 14:37:27 -0800
> Stephen Hemminger <shemminger@...ux-foundation.org> wrote:
> 
> > On Thu, 1 Mar 2007 14:34:17 -0800
> > Andrew Morton <akpm@...ux-foundation.org> wrote:
> > 
> > > On Thu, 1 Mar 2007 11:33:05 -0800
> > > bugme-daemon@...zilla.kernel.org wrote:
> > > 
> > > > http://bugzilla.kernel.org/show_bug.cgi?id=8107
> > > > 
> > > >            Summary: dev->header_cache_update has a random value
> > > >     Kernel Version: 2.6.20
> > > >             Status: NEW
> > > >           Severity: high
> > > >              Owner: jgarzik@...ox.com
> > > >          Submitter: loveminix@...oo.com.cn
> > > > 
> > > > 
> > > > Distribution: Kernel 2.6.20
> > > > 
> > > > Problem Description:
> > > > 
> > > > In struct net_device, there are two fields: hard_header_cache and 
> > > > header_cache_update, both of which are function pointers. The third field, 
> > > > hard_header, is also a function pointer. Whenever hard_header points to a valid 
> > > > function, both hard_header_cache and header_cache_update should have a known 
> > > > value, either NULL or a valid function pointer. However, in 
> > > > drivers/net/wan/hdlc_cisco.c, in function static int cisco_ioctl(struct 
> > > > net_device *dev, struct ifreq *ifr), where dev->hard_header is assigned a valid 
> > > > function, and dev->hard_header_cache is assigned a known value (NULL), dev-
> > > > >header_cache_update is not set to a known value:
> > > > 
> > > > dev->hard_start_xmit = hdlc->xmit;
> > > >         dev->hard_header = cisco_hard_header;
> > > >         dev->hard_header_cache = NULL;
> > > >         dev->type = ARPHRD_CISCO;
> > > >         dev->flags = IFF_POINTOPOINT | IFF_NOARP;
> > > >         dev->addr_len = 0;
> > > > 
> > > > This may cause serious problems when dev->header_cache_update is invoked, 
> > > > because it has an uninitialized value.
> > > > 
> > > > Steps to reproduce:
> > > > 
> > > > I found this suspicious spot with the help of a code-checking tool.
> > > > 
> > > 
> > > Like this?
> > 
> > Not necessary, since any network device must already allocated by
> > alloc_netdev() and it initializes the whole struct to 0 (NULL).
> 
> But ioctl(IF_PROTO_CISCO) can be run multiple times across the lifetime of
> a net_device?

Your right, but so far there is no ioctl to take it out of this mode.
So it is a one way door.

This device never calls hdlc->detach??

-- 
Stephen Hemminger <shemminger@...ux-foundation.org>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists