lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 16 Feb 2018 04:11:20 +0900
From:   Masatake YAMATO <yamato@...hat.com>
To:     netdev@...r.kernel.org
Cc:     yamato@...hat.com
Subject: [PATCH v2] ss: prepare rth when killing inet sock

kill_inet_sock() expects rhn_handle instance is passed
via inet_diag_arg argument. However on the following calling path:

    generic_show_sock
    => show_one_inet_sock
       => kill_inet_sock

rth field of inet_diag_arg is not filled with the address of
rhn_handle instance. As the result ss crashes.

This commit fills the field with newly created rhn_handle
instance.

Changes in v2:
Instead of creating rtn_handle instances for each socket, create
one in upper layer and reuse it.

Signed-off-by: Masatake YAMATO <yamato@...hat.com>
---
 misc/ss.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/misc/ss.c b/misc/ss.c
index 29a25070..e047f9c0 100644
--- a/misc/ss.c
+++ b/misc/ss.c
@@ -239,6 +239,7 @@ struct filter {
 	uint64_t families;
 	struct ssfilter *f;
 	bool kill;
+	struct rtnl_handle *rth_for_killing;
 };
 
 #define FAMILY_MASK(family) ((uint64_t)1 << (family))
@@ -4262,6 +4263,7 @@ static int generic_show_sock(const struct sockaddr_nl *addr,
 	switch (r->sdiag_family) {
 	case AF_INET:
 	case AF_INET6:
+		inet_arg.rth = inet_arg.f->rth_for_killing;
 		return show_one_inet_sock(addr, nlh, &inet_arg);
 	case AF_UNIX:
 		return unix_show_sock(addr, nlh, arg);
@@ -4280,7 +4282,7 @@ static int handle_follow_request(struct filter *f)
 {
 	int ret = 0;
 	int groups = 0;
-	struct rtnl_handle rth;
+	struct rtnl_handle rth, rth2;
 
 	if (f->families & FAMILY_MASK(AF_INET) && f->dbs & (1 << TCP_DB))
 		groups |= 1 << (SKNLGRP_INET_TCP_DESTROY - 1);
@@ -4300,10 +4302,20 @@ static int handle_follow_request(struct filter *f)
 	rth.dump = 0;
 	rth.local.nl_pid = 0;
 
+	if (f->kill) {
+		if (rtnl_open_byproto(&rth2, groups, NETLINK_SOCK_DIAG)) {
+			rtnl_close(&rth);
+			return -1;
+		}
+		f->rth_for_killing = &rth2;
+	}
+
 	if (rtnl_dump_filter(&rth, generic_show_sock, f))
 		ret = -1;
 
 	rtnl_close(&rth);
+	if (f->rth_for_killing)
+		rtnl_close(f->rth_for_killing);
 	return ret;
 }
 
-- 
2.14.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ