lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 14 Nov 2013 07:45:37 -0600
From:	Josh Hunt <johunt@...mai.com>
To:	David Miller <davem@...emloft.net>
CC:	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"venkat.x.venkatsubra@...cle.com" <venkat.x.venkatsubra@...cle.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"jjolly@...e.com" <jjolly@...e.com>,
	"fenlason@...hat.com" <fenlason@...hat.com>,
	"honli@...hat.com" <honli@...hat.com>
Subject: Re: [PATCH] rds: fix local ping DoS

On 11/14/2013 01:03 AM, David Miller wrote:
> From: Josh Hunt <johunt@...mai.com>
> Date: Wed, 13 Nov 2013 17:15:43 -0800
>
>> The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets
>> (RDS) protocol implementation allows local users to cause a denial of service
>> (BUG_ON and kernel panic) by establishing an RDS connection with the source
>> IP address equal to the IPoIB interface's own IP address, as demonstrated by
>> rds-ping.
>>
>> A local unprivileged user could use this flaw to crash the system.
>>
>> CVE-2012-2372
>>
>> Reported-by: Honggang Li <honli@...hat.com>
>> Signed-off-by: Josh Hunt <johunt@...mai.com>
>
> I'm sorry I can't apply this.  This commit message needs to be much
> less terse and explain things more.
>
> First of all, why is the "off % RDS_FRAG_SIZE" important?
>
> And, even more importantly, why is is OK to avoid this assertion just
> because we're going over loopback?
>
> Furthermore, why doesn't net/rds/iw_send.c:rds_iw_xmit() have the same
> exact problem?  It makes the same exact assertion check.
>
> I know this RDS code is a steaming pile of poo, but that doesn't mean
> we just randomly adjust assertions to make crashes go away without
> sufficient understanding of exactly what's going on.
>
> Thanks.
>

Sure understandable questions. Unfortunately I don't have the hardware 
to properly debug and analyze. I was just trying to get this through on 
the assumption that the previous attempts just failed due to incorrect 
submission procedures and lack of a reproducible testcase. If nothing 
else this whole thing brought out the testcase :)

Testcase from Honggang's earlier mail:
<snip>
The test case is very simple:
Steps to Reproduce:
1. yum install -y rds-tools

2. [root@...a3 ~]# ifconfig ib0 | grep 'inet addr'
           inet addr:172.31.0.3  Bcast:172.31.0.255  Mask:255.255.255.0

3. [root@...a3 ~]# /usr/bin/rds-ping 172.31.0.3  <<<< kernel panic (You
may need to wait for a few seconds before the kernel panic.)

This bug can be reproduced with Mellanox HCAs (mlx4_ib.ko and mthca.ko),
QLogic HCA (ib_qib.ko). I did not test the QLogic HCA running "ib_ipath.ko".
</snip>

Perhaps Venkat or someone else with the hardware mentioned can provide a 
better explanation and better solution to the crash.

Josh
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists