lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Jan 2009 10:53:18 +0200 (EET) From: "Ilpo Järvinen" <ilpo.jarvinen@...sinki.fi> To: Eric Sesterhenn <snakebyte@....de> cc: Netdev <netdev@...r.kernel.org>, David Miller <davem@...emloft.net>, yoshfuji@...ux-ipv6.org Subject: Re: [BUG] icmpv6fuzz creates bad paging request On Thu, 1 Jan 2009, Eric Sesterhenn wrote: > Hi, > > running "icmpv6fuzz -r 2187" gives me the following oops with current -git > > > [ 4320.851654] BUG: unable to handle kernel paging request at c9527000 > [ 4320.851749] IP: [<c04e5668>] __copy_from_user_ll+0x8c/0xd8 > [ 4320.851898] *pde = 0001f067 *pte = 09527160 > [ 4320.851977] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC > [ 4320.852011] last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/resource > [ 4320.852011] Modules linked in: > [ 4320.852011] > [ 4320.852011] Pid: 5065, comm: icmpv6fuzz Tainted: G W (2.6.28-04928-g6a94cb7 #152) System Name > [ 4320.852011] EIP: 0060:[<c04e5668>] EFLAGS: 00010202 CPU: 0 > [ 4320.852011] EIP is at __copy_from_user_ll+0x8c/0xd8 > [ 4320.852011] EAX: 00000000 EBX: 4b17b3d7 ECX: 4b1782d7 EDX: 00000000 > [ 4320.852011] ESI: 097d5f24 EDI: c9526fc8 EBP: c9523da0 ESP: c9523d98 > [ 4320.852011] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 > [ 4320.852011] Process icmpv6fuzz (pid: 5065, ti=c9523000 task=cee15b00 task.ti=c9523000) > [ 4320.852011] Stack: > [ 4320.852011] c9523ec8 097d2e24 c9523db4 c04e5907 00000000 c9523ec8 cee431fc c9523f1c > [ 4320.852011] c06fd4db 00000032 cee42f00 00000000 cee15b00 00000002 00000000 00000000 > [ 4320.852011] c951ea64 cee15b00 00000002 00000000 00000000 c951ea64 cee15b00 00000246 > [ 4320.852011] Call Trace: > [ 4320.852011] [<c04e5907>] ? copy_from_user+0x36/0x59 > [ 4320.852011] [<c06fd4db>] ? ipv6_setsockopt+0x4ed/0xb8e > [ 4320.852011] [<c017c674>] ? might_fault+0x42/0x7e > [ 4320.852011] [<c04e5b25>] ? copy_to_user+0x38/0x43 > [ 4320.852011] [<c01421d1>] ? print_lock_contention_bug+0x11/0xb2 > [ 4320.852011] [<c0143f37>] ? trace_hardirqs_on+0xb/0xd > [ 4320.852011] Code: 1c 8b 46 20 8b 56 24 89 47 20 89 57 24 8b 46 28 8b 56 2c 89 47 28 89 57 2c 8b 46 30 8b 56 34 89 47 30 89 57 34 8b 46 38 8b 56 3c <89> 47 38 89 57 3c 83 c1 c0 83 c6 40 83 c7 40 83 f9 3f 77 88 89 > [ 4320.852011] EIP: [<c04e5668>] __copy_from_user_ll+0x8c/0xd8 SS:ESP 0068:c9523d98 > [ 4320.852011] ---[ end trace 4eaa2a86a8e2da22 ]--- Can you try the patch below. I wonder btw what's the correct policy wrt. those optval == NULL checks that's visible in the patch' context (IPV6_PKTINFO is the only one which is doing that while many there fetch to sizeof(struct something)). -- i. [PATCH] ipv6: IPV6_PKTINFO relied userspace providing correct length Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@...sinki.fi> Reported-by: Eric Sesterhenn <snakebyte@....de> --- net/ipv6/ipv6_sockglue.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 0069b7e..d31df0f 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -403,7 +403,7 @@ sticky_done: else if (optlen < sizeof(struct in6_pktinfo) || optval == NULL) goto e_inval; - if (copy_from_user(&pkt, optval, optlen)) { + if (copy_from_user(&pkt, optval, sizeof(struct in6_pktinfo))) { retv = -EFAULT; break; } -- 1.5.2.2
Powered by blists - more mailing lists