lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20130627.224449.597576653116367356.davem@davemloft.net>
Date:	Thu, 27 Jun 2013 22:44:49 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	pablo@...filter.org
Cc:	netdev@...r.kernel.org, eric.dumazet@...il.com,
	artem.savkov@...il.com, fengguang.wu@...el.com
Subject: Re: [PATCH] netlink: fix splat in skb_clone with large messages

From: Pablo Neira Ayuso <pablo@...filter.org>
Date: Fri, 28 Jun 2013 03:04:23 +0200

> Since (c05cdb1 netlink: allow large data transfers from user-space),
> netlink splats if it invokes skb_clone on large netlink skbs since:
> 
> * skb_shared_info was not correctly initialized.
> * skb->destructor is not set in the cloned skb.
> 
> This was spotted by trinity:
> 
> [  894.990671] BUG: unable to handle kernel paging request at ffffc9000047b001
> [  894.991034] IP: [<ffffffff81a212c4>] skb_clone+0x24/0xc0
> [...]
> [  894.991034] Call Trace:
> [  894.991034]  [<ffffffff81ad299a>] nl_fib_input+0x6a/0x240
> [  894.991034]  [<ffffffff81c3b7e6>] ? _raw_read_unlock+0x26/0x40
> [  894.991034]  [<ffffffff81a5f189>] netlink_unicast+0x169/0x1e0
> [  894.991034]  [<ffffffff81a601e1>] netlink_sendmsg+0x251/0x3d0
> 
> Fix it by:
> 
> 1) introducing a new netlink_skb_clone function that is used in nl_fib_input,
>    that sets our special skb->destructor in the cloned skb. Moreover, handle
>    the release of the large cloned skb head area in the destructor path.
> 
> 2) not allowing large skbuffs in the netlink broadcast path. I cannot find
>    any reasonable use of the large data transfer using netlink in that path,
>    moreover this helps to skip extra skb_clone handling.
> 
> I found two more netlink clients that are cloning the skbs, but they are
> not in the sendmsg path. Therefore, the sole client cloning that I found
> seems to be the fib frontend.
> 
> Thanks to Eric Dumazet for helping to address this issue.
> 
> Reported-by: Fengguang Wu <fengguang.wu@...el.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>

Looks good, applied, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ