lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <063D6719AE5E284EB5DD2968C1650D6D1748BC57@AcuExch.aculab.com> Date: Mon, 8 Sep 2014 13:23:33 +0000 From: David Laight <David.Laight@...LAB.COM> To: 'David Miller' <davem@...emloft.net> CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: RE: [PATCH V2 net] core: Don't attempt to load the "" driver. From: David Miller > From: David Laight <David.Laight@...LAB.COM> > Date: Wed, 3 Sep 2014 08:55:21 +0000 > > > Requests like 'ifconfig ""' cause dev_load(net, "") be called, since > > request_module("") return 0 (success) this generates the error message: > > "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and > alias netdev- instead." > > > > Since dev_load() doesn't have to work, just ignore such names. > > > > Signed-off-by: David Laight <david.laight@...lab.com> > > --- > > > > V2: Added sign off. > > > > If you search for the above error message, you'll find a lot of complaints. > > While the applications shouldn't be calling an SIOCxxx ioctl with ifr_name[0] == 0 > > the kernel shouldn't be tracing the error either. > > > > Due to the complaints from users, this might be a backport candidate. > > I have to say that I don't like this. > > Why is request_module("") signalled with success unconditionally? > A module didn't get loaded, so semantically this behavior makes > no sense at all. > > I would rather than simply request_module() signal an error in this > case, and then _NOBODY_ has to have all of this duplicated logic to > check for name[0]=='\0' throughout all of the call chains leading to > request_module(). Maybe, but the SIOCxxx ioctl code is only doing a speculative module load. Possibly it should error out the ioctl request earlier if ifr_name is "", but maybe it is sometimes valid? In this case you also want to stop the attempt to load "netdev-". Hmmm... that really sucks... This whole 'try to load the module' path should be predicated on 'interface not found'. I presume that the locking rules prohibit the module load attempt at that time. Maybe the ioctl code should do a retry if it gets the 'interface not found' error - instead of assuming that the module needs loading. At the moment I think that if you run 'ifconfig eth0' it will try to load "netdev-eth0" and "eth0" (maybe without the unit suffix) before attempting to do anything else. I didn't do any 'software archaeology' on the SIOCxxx ioctl code. David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists