lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 25 Apr 2007 22:48:42 -0700
From:	Greg KH <greg@...ah.com>
To:	David Miller <davem@...emloft.net>
Cc:	torvalds@...ux-foundation.org, kuznet@....inr.ac.ru,
	security@...nel.org, netdev@...r.kernel.org, jaco@...on.co.za
Subject: Re: [Security] [PATCH] infinite recursion in netlink

On Wed, Apr 25, 2007 at 10:44:20PM -0700, Greg KH wrote:
> On Wed, Apr 25, 2007 at 10:32:01PM -0700, David Miller wrote:
> > From: Greg KH <greg@...ah.com>
> > Date: Wed, 25 Apr 2007 22:29:12 -0700
> > 
> > > On Wed, Apr 25, 2007 at 01:15:12PM -0700, Linus Torvalds wrote:
> > > > 
> > > > 
> > > > On Wed, 25 Apr 2007, Alexey Kuznetsov wrote:
> > > > > 
> > > > > Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
> > > > > which resulted in infinite recursion and stack overflow.
> > > 
> > > Wait, I just had the bright idea of actually testing this before I
> > > pushed out a 2.6.20.9 kernel with another fix in it, and nope, still
> > > crashes, even with this patch  :(
> > > 
> > > Full stackdump in a picture (forgot to have netconsole running) at:
> > > 	http://www.kroah.com/netlink_oops.jpg
> > > 
> > > Any thoughts?
> > > 
> > > I'll go try 2.6.21 now too...
> > 
> > Crap.  We should have let this one simmer for a day to get
> > more eyes on it.
> > 
> > Thanks for catching this Greg.
> 
> Odd, 2.6.21 doesn't crash at all.
> 
> Can anyone verify that I made the 2.6.20.8 release correctly with the
> proper patch?

fyi, here's the patch that I applied, perhaps 2.6.20 needed something
else too?

thanks,

greg k-h


Subject: NETLINK: Infinite recursion in netlink.

From: Alexey Kuznetsov <kuznet@....inr.ac.ru>

[NETLINK]: Infinite recursion in netlink.

Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
which resulted in infinite recursion and stack overflow.

The bug is present in all kernel versions since the feature appeared.

The patch also makes some minimal cleanup:

1. Return something consistent (-ENOENT) when fib table is missing
2. Do not crash when queue is empty (does not happen, but yet)
3. Put result of lookup

Signed-off-by: Alexey Kuznetsov <kuznet@....inr.ac.ru>
Signed-off-by: David S. Miller <davem@...emloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>

---
 net/ipv4/fib_frontend.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -772,6 +772,8 @@ static void nl_fib_lookup(struct fib_res
 				       .nl_u = { .ip4_u = { .daddr = frn->fl_addr,
 							    .tos = frn->fl_tos,
 							    .scope = frn->fl_scope } } };
+
+	frn->err = -ENOENT;
 	if (tb) {
 		local_bh_disable();
 
@@ -783,6 +785,7 @@ static void nl_fib_lookup(struct fib_res
 			frn->nh_sel = res.nh_sel;
 			frn->type = res.type;
 			frn->scope = res.scope;
+			fib_res_put(&res);
 		}
 		local_bh_enable();
 	}
@@ -797,6 +800,9 @@ static void nl_fib_input(struct sock *sk
 	struct fib_table *tb;
 	
 	skb = skb_dequeue(&sk->sk_receive_queue);
+	if (skb == NULL)
+		return;
+
 	nlh = (struct nlmsghdr *)skb->data;
 	if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len ||
 	    nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) {
@@ -809,7 +815,7 @@ static void nl_fib_input(struct sock *sk
 
 	nl_fib_lookup(frn, tb);
 	
-	pid = nlh->nlmsg_pid;           /*pid of sending process */
+	pid = NETLINK_CB(skb).pid;       /* pid of sending process */
 	NETLINK_CB(skb).pid = 0;         /* from kernel */
 	NETLINK_CB(skb).dst_group = 0;  /* unicast */
 	netlink_unicast(sk, skb, pid, MSG_DONTWAIT);
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists