| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <063D6719AE5E284EB5DD2968C1650D6D1748BC57@AcuExch.aculab.com>
Date: Mon, 8 Sep 2014 13:23:33 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'David Miller' <davem@...emloft.net>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: RE: [PATCH V2 net] core: Don't attempt to load the "" driver.
From: David Miller
> From: David Laight <David.Laight@...LAB.COM>
> Date: Wed, 3 Sep 2014 08:55:21 +0000
>
> > Requests like 'ifconfig ""' cause dev_load(net, "") be called, since
> > request_module("") return 0 (success) this generates the error message:
> > "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and
> alias netdev- instead."
> >
> > Since dev_load() doesn't have to work, just ignore such names.
> >
> > Signed-off-by: David Laight <david.laight@...lab.com>
> > ---
> >
> > V2: Added sign off.
> >
> > If you search for the above error message, you'll find a lot of complaints.
> > While the applications shouldn't be calling an SIOCxxx ioctl with ifr_name[0] == 0
> > the kernel shouldn't be tracing the error either.
> >
> > Due to the complaints from users, this might be a backport candidate.
>
> I have to say that I don't like this.
>
> Why is request_module("") signalled with success unconditionally?
> A module didn't get loaded, so semantically this behavior makes
> no sense at all.
>
> I would rather than simply request_module() signal an error in this
> case, and then _NOBODY_ has to have all of this duplicated logic to
> check for name[0]=='\0' throughout all of the call chains leading to
> request_module().
Maybe, but the SIOCxxx ioctl code is only doing a speculative module load.
Possibly it should error out the ioctl request earlier if ifr_name is "",
but maybe it is sometimes valid?
In this case you also want to stop the attempt to load "netdev-".
Hmmm... that really sucks...
This whole 'try to load the module' path should be predicated on
'interface not found'.
I presume that the locking rules prohibit the module load attempt
at that time.
Maybe the ioctl code should do a retry if it gets the 'interface not found'
error - instead of assuming that the module needs loading.
At the moment I think that if you run 'ifconfig eth0' it will try to
load "netdev-eth0" and "eth0" (maybe without the unit suffix) before
attempting to do anything else.
I didn't do any 'software archaeology' on the SIOCxxx ioctl code.
David
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists