| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <adafxisjzel.fsf@cisco.com> Date: Thu, 05 Feb 2009 14:24:02 -0800 From: Roland Dreier <rdreier@...co.com> To: Eric Sesterhenn <snakebyte@....de> Cc: Herbert Xu <herbert@...dor.apana.org.au>, David Miller <davem@...emloft.net>, netdev@...r.kernel.org, yoshfuji@...ux-ipv6.org Subject: Re: Deadlock with icmpv6fuzz > [ 2880.044328] icmpv6fuzz: page allocation failure. order:9, mode:0x40d0 > [ 2880.044495] Pid: 10968, comm: icmpv6fuzz Not tainted > 2.6.29-rc3-00580-ga2fe994-dirty #239 > [ 2880.044694] Call Trace: > [ 2880.044802] [<c016886a>] __alloc_pages_internal+0x38e/0x3aa > [ 2880.044954] [<c016889a>] __get_free_pages+0x14/0x24 > [ 2880.071336] [<c018412c>] __kmalloc+0x2e/0x122 > [ 2880.071589] [<c06fa227>] ipv6_flowlabel_opt+0x1e0/0x7b1 > [ 2880.092922] [<c06e8c9e>] ipv6_setsockopt+0xa0f/0xb89 >From a quick scan of the code, it looks as if optlen is never sanity checked in the case of setsockopt(IPV6_FLOWLABEL_MGR), and ipv6_flowlabel_opt() calls into fl_create() with whatever value userspace passes in, which then pretty much does kmalloc(optlen). So if icmpv6fuzz passes some big random value, it can cause this failure. I don't know what the appropriate limit should be, so no patch, sorry. - R. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists