lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 09 Feb 2017 16:39:38 -0500 (EST)
From:   David Miller <davem@...emloft.net>
To:     xiyou.wangcong@...il.com
Cc:     netdev@...r.kernel.org, andreyknvl@...gle.com, dvyukov@...gle.com,
        tom@...bertland.com
Subject: Re: [Patch net] kcm: fix 0-length case for kcm_sendmsg()

From: Cong Wang <xiyou.wangcong@...il.com>
Date: Tue,  7 Feb 2017 12:59:47 -0800

> Dmitry reported a kernel warning:
> 
>  WARNING: CPU: 3 PID: 2936 at net/kcm/kcmsock.c:627
>  kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627
>  CPU: 3 PID: 2936 Comm: a.out Not tainted 4.10.0-rc6+ #209
>  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>  Call Trace:
>   __dump_stack lib/dump_stack.c:15 [inline]
>   dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
>   panic+0x1fb/0x412 kernel/panic.c:179
>   __warn+0x1c4/0x1e0 kernel/panic.c:539
>   warn_slowpath_null+0x2c/0x40 kernel/panic.c:582
>   kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627
>   kcm_sendmsg+0x163a/0x2200 net/kcm/kcmsock.c:1029
>   sock_sendmsg_nosec net/socket.c:635 [inline]
>   sock_sendmsg+0xca/0x110 net/socket.c:645
>   sock_write_iter+0x326/0x600 net/socket.c:848
>   new_sync_write fs/read_write.c:499 [inline]
>   __vfs_write+0x483/0x740 fs/read_write.c:512
>   vfs_write+0x187/0x530 fs/read_write.c:560
>   SYSC_write fs/read_write.c:607 [inline]
>   SyS_write+0xfb/0x230 fs/read_write.c:599
>   entry_SYSCALL_64_fastpath+0x1f/0xc2
> 
> when calling syscall(__NR_write, sock2, 0x208aaf27ul, 0x0ul) on a KCM
> seqpacket socket. It appears that kcm_sendmsg() does not handle len==0
> case correctly, which causes an empty skb is allocated and queued.
> Fix this by skipping the skb allocation for len==0 case.
> 
> Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
> Cc: Tom Herbert <tom@...bertland.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com>

Applied and queued up for -stable.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ