lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 8 Nov 2008 06:36:18 +0300
From:	Alexey Dobriyan <adobriyan@...il.com>
To:	Eric Sesterhenn <snakebyte@....de>, davem@...emloft.net
Cc:	netdev@...r.kernel.org, alan@...rguk.ukuu.org.uk
Subject: [PATCH] net: fix /proc/net/snmp as memory corruptor

On Sat, Nov 08, 2008 at 05:52:56AM +0300, Alexey Dobriyan wrote:
> On Sat, Nov 08, 2008 at 04:02:37AM +0300, Alexey Dobriyan wrote:
> > On Sat, Nov 08, 2008 at 01:22:08AM +0100, Eric Sesterhenn wrote:
> > > running a bunch of network related stresstests (isic, isicng, ...) 
> > > and trying to read all files in /proc afterwards gave me two
> > > oopses. I was able to reproduce them on another box with
> > > a different config. I was able to reproduce this on 2.6.24 too,
> > > so this is no regression. The icmpsic is version 0.06. 
> > > The minimal testcase to trigger this:
> > > 
> > > ------------8<----------------
> > > #!/bin/bash
> > > 
> > > icmpsic -s 127.0.0.1 -d 127.0.0.1 -p 100000
> > > 
> > > find /proc/net/ | xargs cat > /dev/null
> > > 
> > > cat /proc/net/ip_mr_cache
> > > cat /proc/net/ip_mr_vif
> > > ------------8<----------------
> > > 
> > > 
> > > root@...puter-desktop:~/testing# cat /proc/338/net/ip_mr_cache
> > > 
> > > [ 1572.702100] BUG: unable to handle kernel NULL pointer dereference at 000001c1
> > > [ 1572.702588] IP: [<c05942c6>] ipmr_mfc_seq_show+0x26/0xf0
> > 
> > Reproduced.
> 
> 	icmpsic -s 127.0.0.1 -d 127.0.0.1 -p 100000
> 	cat /proc/net/snmp				# sic
> 	cat /proc/net/ip_mr_cache
> 
> mfc_cache_array is full of small integers
> 
> 	[0] = 0x1a8
> 	[1] = 0x1a9
> 
> and so on.

OK, this minimally fixes mfc_cache_array corruption.

Someone was scared of 16 integers on stack. :^)


[PATCH] net: fix /proc/net/snmp as memory corruptor

Local "interesting MIBs" table is so small, and counter can get so big given
junk ICMP packets.

Signed-off-by: Alexey Dobriyan <adobriyan@...il.com>
---

 net/ipv4/proc.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -263,6 +263,7 @@ static void icmpmsg_put(struct seq_file *seq)
 				snmp_fold_field((void **) net->mib.icmpmsg_statistics,
 				out[j]));
 		seq_putc(seq, '\n');
+		count = 0;
 	}
 	if (count) {
 		seq_printf(seq, "\nIcmpMsg:");
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ