| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100811083101.GA10126@ff.dom.local>
Date: Wed, 11 Aug 2010 08:31:02 +0000
From: Jarek Poplawski <jarkao2@...il.com>
To: David Miller <davem@...emloft.net>
Cc: netdev@...r.kernel.org, Stephen Hemminger <shemminger@...tta.com>,
Patrick McHardy <kaber@...sh.net>,
Franchoze Eric <franchoze@...dex.ru>
Subject: [PATCH 1/2] pkt_sched: Fix sch_sfq vs tc_modify_qdisc oops
Hi,
After more investigation I've found sch_sfq is still vulnerable
because off its missing class handlers. Here is an oops as
proof of the concept, and a patch below. This patch should be
considered for stable (without following 2/2 patch).
Jarek P.
This oops can happen while doing tc qdisc replace on sfq
leaf qdiscs under some traffic.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<(null)>] (null)
*pde = 00000000
Oops: 0000 [#1] SMP
last sysfs file: /sys/module/sch_htb/refcnt
Modules linked in: sch_htb sch_sfq sch_prio snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ipv6 ext3 jbd mbcache lp fuse ppdev snd_intel8x0 snd_ac97_codec ac97_bus rtc_cmos parport_pc uhci_hcd intel_agp snd_pcm e100 psmouse rtc_core mii i2c_i801 parport agpgart processor snd_timer thermal dcdbas serio_raw ehci_hcd rtc_lib shpchp thermal_sys button i2c_core evdev hwmon snd soundcore snd_page_alloc reiserfs [last unloaded: sch_htb]
Pid: 2925, comm: tc Not tainted (2.6.32-smp #1) OptiPlex 170L
EIP: 0060:[<00000000>] EFLAGS: 00010286 CPU: 0
EIP is at 0x0
EAX: cdb52000 EBX: c44dbc98 ECX: d041fe20 EDX: 00000028
ESI: c44dbc98 EDI: cdb52080 EBP: cdb52000 ESP: c44dbc14
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process tc (pid: 2925, ti=c44da000 task=ce819500 task.ti=c44da000)
Stack:
c12dfbe6 00000000 c44dbc98 00000028 cdb52080 cdb52000 c1353949 c44dbc98
<0> 00000028 d041f37a d041fdbd cdb52000 cf151410 cd8b7000 cf065800 c12e1dc1
<0> 00000000 00000000 cd9fd700 cf045000 cf151424 cf151400 cd9fd700 00010002
Call Trace:
[<c12dfbe6>] ? check_loop_fn+0x16/0xa0
[<c1353949>] ? printk+0x17/0x1e
[<d041f37a>] ? sfq_walk+0x8a/0xb0 [sch_sfq]
[<c12e1dc1>] ? tc_modify_qdisc+0x451/0x4f0
[<c12dfbd0>] ? check_loop_fn+0x0/0xa0
[<c12e1970>] ? tc_modify_qdisc+0x0/0x4f0
[<c12d635d>] ? rtnetlink_rcv_msg+0x16d/0x210
[<c12bf2d5>] ? sock_rmalloc+0x35/0x90
[<c12d61f0>] ? rtnetlink_rcv_msg+0x0/0x210
[<c12e7d26>] ? netlink_rcv_skb+0x66/0x90
[<c12d61e9>] ? rtnetlink_rcv+0x19/0x20
[<c12e79fe>] ? netlink_unicast+0x26e/0x280
[<c12e81d5>] ? netlink_sendmsg+0x1d5/0x2f0
[<c12bc401>] ? sock_sendmsg+0x111/0x130
[<c104b560>] ? autoremove_wake_function+0x0/0x50
[<c104b560>] ? autoremove_wake_function+0x0/0x50
[<c12bc594>] ? sys_sendmsg+0x174/0x280
[<c12bd4a6>] ? sys_recvmsg+0x1a6/0x240
[<c10804f4>] ? find_get_page+0x24/0xb0
[<c1080e34>] ? filemap_fault+0x74/0x3a0
[<c1097371>] ? __do_fault+0x361/0x450
[<c12bed30>] ? lock_sock_nested+0x90/0xb0
[<c1098f94>] ? handle_mm_fault+0x144/0x800
[<c12bdc0d>] ? sys_socketcall+0xbd/0x290
[<c101d22a>] ? do_page_fault+0x13a/0x2a0
[<c101d0f0>] ? do_page_fault+0x0/0x2a0
[<c1002eb5>] ? syscall_call+0x7/0xb
Code: Bad EIP value.
EIP: [<00000000>] 0x0 SS:ESP 0068:c44dbc14
CR2: 0000000000000000
------------>
sch_sfq as a classful qdisc needs the .leaf handler. Otherwise, there
is an oops possible in tc_modify_qdisc()/check_loop().
Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998
Signed-off-by: Jarek Poplawski <jarkao2@...il.com>
---
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index b8bcb20..201cbac 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -508,6 +508,11 @@ nla_put_failure:
return -1;
}
+static struct Qdisc *sfq_leaf(struct Qdisc *sch, unsigned long arg)
+{
+ return NULL;
+}
+
static unsigned long sfq_get(struct Qdisc *sch, u32 classid)
{
return 0;
@@ -575,6 +580,7 @@ static void sfq_walk(struct Qdisc *sch, struct qdisc_walker *arg)
}
static const struct Qdisc_class_ops sfq_class_ops = {
+ .leaf = sfq_leaf,
.get = sfq_get,
.put = sfq_put,
.tcf_chain = sfq_find_tcf,
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists