lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Jun 2014 16:50:09 -0700 From: David Decotigny <decot@...glers.com> To: "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Eric Dumazet <edumazet@...gle.com>, Cong Wang <amwang@...hat.com>, David Decotigny <decot@...glers.com>, Antonio Quartulli <antonio@...hcoding.com>, Jiri Pirko <jpirko@...hat.com> Subject: [PATCH net-next v1 1/2] netpoll: fix use after free After a bonding master reclaims the netpoll info struct, slaves could still hold a pointer to the reclaimed data. This patch fixes it: as soon as netpoll_async_cleanup is called for a slave (eg. when un-enslaved), we make sure that this slave doesn't point to the data. The style of this patch is not nice, but it represents the simplest fix. The function is restructured by the next patch anyway ("netpoll: avoid reference leaks"). Tested: One way to reproduce the panic is with netconsole: with the script below run in a loop without this patch. Same procedure with this patch can run without panic. CONFIG_NETCONSOLE=m CONFIG_NETCONSOLE_DYNAMIC=y Then run in a loop (dual port NIC makes it easier to crash): ifconfig eth0 192.168.42.4 up ifconfig eth1 192.168.56.4 up sleep 10 modprobe -r netconsole modprobe -r bonding modprobe netconsole modprobe bonding mode=4 echo +bond0 > /sys/class/net/bonding_masters ifconfig bond0 192.168.56.3 up mkdir /sys/kernel/config/netconsole/blah echo 0 > /sys/kernel/config/netconsole/blah/enabled echo bond0 > /sys/kernel/config/netconsole/blah/dev_name echo 192.168.56.42 > /sys/kernel/config/netconsole/blah/remote_ip echo 1 > /sys/kernel/config/netconsole/blah/enabled # npinfo refcnt ->1 ifenslave bond0 eth1 # npinfo refcnt ->2 ifenslave bond0 eth0 # (this should be optional, preventing ndo_cleanup_nepoll below) # npinfo refcnt ->3 sleep 3 ifenslave -d bond0 eth1 # npinfo refcnt ->2, eth1 keeps ptr to npinfo reclaimed later => garbage sleep 1 echo -bond0 > /sys/class/net/bonding_masters # netpoll_cleanup(bond0) + dec(refcnt) # (should be optional: becomes -> 1 (aka. != 0) # ==> do not call ndo_cleanup_nepoll) # try to increase chance of writing garbage onto npinfo: ls -lR / 2>&1 | tail -30 echo +bond0 > /sys/class/net/bonding_masters ifconfig bond0 192.168.56.3 up ifenslave bond0 eth1 # dev_open() called --> netpoll_rx_disable() + npinfo is garbage # -> down(&ni->dev_lock); Signed-off-by: David Decotigny <decot@...glers.com> --- net/core/netpoll.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/core/netpoll.c b/net/core/netpoll.c index e33937f..907fb5e 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -822,7 +822,8 @@ void __netpoll_cleanup(struct netpoll *np) RCU_INIT_POINTER(np->dev->npinfo, NULL); call_rcu_bh(&npinfo->rcu, rcu_cleanup_netpoll_info); - } + } else + RCU_INIT_POINTER(np->dev->npinfo, NULL); } EXPORT_SYMBOL_GPL(__netpoll_cleanup); -- 2.0.0.526.g5318336 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists