lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Sat, 31 Jan 2009 10:37:17 +0100
From:	Sebastiano Di Paola <sebastiano.dipaola@...il.com>
To:	netdev@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org, trivial@...nel.org,
	"Fred N. van Kempen" <waltje@...lt.NL.Mugnet.ORG>,
	Alan Cox <gw4pts@...pts.ampr.org>, paolo.abeni@...il.com,
	sebastiano.dipaola@...il.com
Subject: Subject: [PATCH 2.6.28-git] net: packet socket packet_lookup_frame 
	fix

From: Sebastiano Di Paola and Paolo Abeni

packet_lookup_frames() fails to get user frame if current frame header
status contains extra flags.
This is due to the wrong assumption on the operators precedence during
frame status tests.
Fixed by forcing the right operators precedence order with explicit brackets.

Signed-off-by: Paolo Abeni <paolo.abeni@...il.com>
Signed-off-by: Sebastiano Di Paola <sebastiano.dipaola@...il.com>
---

The issue arises when packet_lookup_frame() is called with status ==
TP_STATUS_USER, that is when the packet socket is memory mapped and a
select() or a poll() syscall is performed on the socket.
If h.h1->tp_status is set to TP_STATUS_USER | TP_STATUS_LOSING (or any
other value with multiple bits set), the tested expression evaluate to
TP_STATUS_USER (!= 0) and a null pointer is returned, even if the
current frame is ready to be read by the user. In such scenario the
poll() and the select() system call stop working.
N.B. This problem is present from version >= 2.6.27

--- linux-2.6.28/net/packet/af_packet.c.orig	2009-01-30 16:29:56.000000000 +0100
+++ linux-2.6.28/net/packet/af_packet.c	2009-01-30 16:27:58.000000000 +0100
@@ -220,13 +220,13 @@ static void *packet_lookup_frame(struct
 	h.raw = po->pg_vec[pg_vec_pos] + (frame_offset * po->frame_size);
 	switch (po->tp_version) {
 	case TPACKET_V1:
-		if (status != h.h1->tp_status ? TP_STATUS_USER :
-						TP_STATUS_KERNEL)
+		if (status != (h.h1->tp_status ? TP_STATUS_USER :
+						TP_STATUS_KERNEL))
 			return NULL;
 		break;
 	case TPACKET_V2:
-		if (status != h.h2->tp_status ? TP_STATUS_USER :
-						TP_STATUS_KERNEL)
+		if (status != (h.h2->tp_status ? TP_STATUS_USER :
+						TP_STATUS_KERNEL))
 			return NULL;
 		break;
 	}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ