lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Jun 2013 22:44:49 -0700 (PDT) From: David Miller <davem@...emloft.net> To: pablo@...filter.org Cc: netdev@...r.kernel.org, eric.dumazet@...il.com, artem.savkov@...il.com, fengguang.wu@...el.com Subject: Re: [PATCH] netlink: fix splat in skb_clone with large messages From: Pablo Neira Ayuso <pablo@...filter.org> Date: Fri, 28 Jun 2013 03:04:23 +0200 > Since (c05cdb1 netlink: allow large data transfers from user-space), > netlink splats if it invokes skb_clone on large netlink skbs since: > > * skb_shared_info was not correctly initialized. > * skb->destructor is not set in the cloned skb. > > This was spotted by trinity: > > [ 894.990671] BUG: unable to handle kernel paging request at ffffc9000047b001 > [ 894.991034] IP: [<ffffffff81a212c4>] skb_clone+0x24/0xc0 > [...] > [ 894.991034] Call Trace: > [ 894.991034] [<ffffffff81ad299a>] nl_fib_input+0x6a/0x240 > [ 894.991034] [<ffffffff81c3b7e6>] ? _raw_read_unlock+0x26/0x40 > [ 894.991034] [<ffffffff81a5f189>] netlink_unicast+0x169/0x1e0 > [ 894.991034] [<ffffffff81a601e1>] netlink_sendmsg+0x251/0x3d0 > > Fix it by: > > 1) introducing a new netlink_skb_clone function that is used in nl_fib_input, > that sets our special skb->destructor in the cloned skb. Moreover, handle > the release of the large cloned skb head area in the destructor path. > > 2) not allowing large skbuffs in the netlink broadcast path. I cannot find > any reasonable use of the large data transfer using netlink in that path, > moreover this helps to skip extra skb_clone handling. > > I found two more netlink clients that are cloning the skbs, but they are > not in the sendmsg path. Therefore, the sole client cloning that I found > seems to be the fib frontend. > > Thanks to Eric Dumazet for helping to address this issue. > > Reported-by: Fengguang Wu <fengguang.wu@...el.com> > Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org> Looks good, applied, thanks! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists