lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4DEE209C.2010104@trash.net>
Date:	Tue, 07 Jun 2011 14:59:08 +0200
From:	Patrick McHardy <kaber@...sh.net>
To:	David Miller <davem@...emloft.net>
CC:	davej@...hat.com, netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org, pablo@...filter.org
Subject: Re: [PATCH] Use unsigned variables for packet lengths in ip[6]_queue.

On 02.06.2011 22:57, David Miller wrote:
> From: Dave Jones <davej@...hat.com>
> Date: Fri, 27 May 2011 20:36:51 -0400
> 
>> On Tue, Apr 19, 2011 at 08:41:05PM -0700, David Miller wrote:
>>  > From: Dave Jones <davej@...hat.com>
>>  > Date: Tue, 19 Apr 2011 21:42:22 -0400
>>  > 
>>  > > Not catastrophic, but ipqueue seems to be too trusting of what it gets
>>  > > passed from userspace, and passes it on down to the page allocator,
>>  > > where it will spew warnings if the page order is too high.
>>  > > 
>>  > > __ipq_rcv_skb has several checks for lengths too small, but doesn't
>>  > > seem to have any for oversized ones.   I'm not sure what the maximum
>>  > > we should check for is. I'll code up a diff if anyone has any ideas
>>  > > on a sane maximum.
>>  > 
>>  > Maybe the thing to do is to simply pass __GFP_NOWARN to nlmsg_new()
>>  > in netlink_ack()?
>>  > 
>>  > Anyone else have a better idea?
>>
>> So I went back to this today, and found something that doesn't look right.
>> After adding some instrumentation, and re-running my tests, I found that
>> the reason we were blowing up with enormous allocations was that we
>> were passing down a nlmsglen's like -1061109568
>>
>> Is there any reason for that to be signed ?
>> The nlmsg_len entry of nlmsghdr is a u32, so I'm assuming this is a bug.
>>
>> With the patch below, I haven't been able to reproduce the problem, but
>> I don't know if I've inadvertantly broken some other behaviour somewhere
>> deeper in netlink where this is valid.

This is fine, but I'm wondering whether this can really fix the problem
you've been seeing. Before the packet is reallocated, the length of
nlmsglen - NLMSGLEN(0) - sizeof(struct ipq_peer_msg) is compared to
ipq_peer_msg->data_len, so both values need to be wrong.
ipq_peer_msg->data_len is a size_t, so it's unsigned.

I think what we should additionally do is verify that data_len < 65535
since that's the maximum size of an IP packet.

Using __GFP_NOWARN also makes sense in my opinion since ip_queue
prints a warning anyways and we return an errno code to userspace.
On second thought, we could also simply use GFP_KERNEL, AFAICS
packet reinjection does not happen in atomic context. I'll give
that a try.


View attachment "x" of type "text/plain" (921 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ