| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Apr 2007 22:48:42 -0700
From: Greg KH <greg@...ah.com>
To: David Miller <davem@...emloft.net>
Cc: torvalds@...ux-foundation.org, kuznet@....inr.ac.ru,
security@...nel.org, netdev@...r.kernel.org, jaco@...on.co.za
Subject: Re: [Security] [PATCH] infinite recursion in netlink
On Wed, Apr 25, 2007 at 10:44:20PM -0700, Greg KH wrote:
> On Wed, Apr 25, 2007 at 10:32:01PM -0700, David Miller wrote:
> > From: Greg KH <greg@...ah.com>
> > Date: Wed, 25 Apr 2007 22:29:12 -0700
> >
> > > On Wed, Apr 25, 2007 at 01:15:12PM -0700, Linus Torvalds wrote:
> > > >
> > > >
> > > > On Wed, 25 Apr 2007, Alexey Kuznetsov wrote:
> > > > >
> > > > > Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
> > > > > which resulted in infinite recursion and stack overflow.
> > >
> > > Wait, I just had the bright idea of actually testing this before I
> > > pushed out a 2.6.20.9 kernel with another fix in it, and nope, still
> > > crashes, even with this patch :(
> > >
> > > Full stackdump in a picture (forgot to have netconsole running) at:
> > > http://www.kroah.com/netlink_oops.jpg
> > >
> > > Any thoughts?
> > >
> > > I'll go try 2.6.21 now too...
> >
> > Crap. We should have let this one simmer for a day to get
> > more eyes on it.
> >
> > Thanks for catching this Greg.
>
> Odd, 2.6.21 doesn't crash at all.
>
> Can anyone verify that I made the 2.6.20.8 release correctly with the
> proper patch?
fyi, here's the patch that I applied, perhaps 2.6.20 needed something
else too?
thanks,
greg k-h
Subject: NETLINK: Infinite recursion in netlink.
From: Alexey Kuznetsov <kuznet@....inr.ac.ru>
[NETLINK]: Infinite recursion in netlink.
Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
which resulted in infinite recursion and stack overflow.
The bug is present in all kernel versions since the feature appeared.
The patch also makes some minimal cleanup:
1. Return something consistent (-ENOENT) when fib table is missing
2. Do not crash when queue is empty (does not happen, but yet)
3. Put result of lookup
Signed-off-by: Alexey Kuznetsov <kuznet@....inr.ac.ru>
Signed-off-by: David S. Miller <davem@...emloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
---
net/ipv4/fib_frontend.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -772,6 +772,8 @@ static void nl_fib_lookup(struct fib_res
.nl_u = { .ip4_u = { .daddr = frn->fl_addr,
.tos = frn->fl_tos,
.scope = frn->fl_scope } } };
+
+ frn->err = -ENOENT;
if (tb) {
local_bh_disable();
@@ -783,6 +785,7 @@ static void nl_fib_lookup(struct fib_res
frn->nh_sel = res.nh_sel;
frn->type = res.type;
frn->scope = res.scope;
+ fib_res_put(&res);
}
local_bh_enable();
}
@@ -797,6 +800,9 @@ static void nl_fib_input(struct sock *sk
struct fib_table *tb;
skb = skb_dequeue(&sk->sk_receive_queue);
+ if (skb == NULL)
+ return;
+
nlh = (struct nlmsghdr *)skb->data;
if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len ||
nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) {
@@ -809,7 +815,7 @@ static void nl_fib_input(struct sock *sk
nl_fib_lookup(frn, tb);
- pid = nlh->nlmsg_pid; /*pid of sending process */
+ pid = NETLINK_CB(skb).pid; /* pid of sending process */
NETLINK_CB(skb).pid = 0; /* from kernel */
NETLINK_CB(skb).dst_group = 0; /* unicast */
netlink_unicast(sk, skb, pid, MSG_DONTWAIT);
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists