lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1562152028-2693-1-git-send-email-debrabander@gmail.com>
Date:   Wed,  3 Jul 2019 13:07:08 +0200
From:   Frank de Brabander <debrabander@...il.com>
To:     "David S . Miller" <davem@...emloft.net>,
        Willem de Bruijn <willemb@...gle.com>
Cc:     netdev@...r.kernel.org, Frank de Brabander <debrabander@...il.com>
Subject: bug: tpacket_snd can cause data corruption

In commit 5cd8d46e a fix was applied for data corruption in
tpacket_snd. A selftest was added in commit 358be656 which
validates this fix.

Unfortunately this bug still persists, although since this fix less
likely to trigger. This bug was initially observed using a PACKET_MMAP
application, but can also be seen by tweaking the kernel selftest.

By tweaking the selftest txring_overwrite.c to run
as an infinite loop, the data corruption will still trigger. It
seems to occur faster by generating interrupts (e.g. by plugging
in USB devices). Tested with kernel version 5.2-RC7.

Cause for this bug is still unclear.

Signed-off-by: Frank de Brabander <debrabander@...il.com>
---
 tools/testing/selftests/net/txring_overwrite.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/tools/testing/selftests/net/txring_overwrite.c b/tools/testing/selftests/net/txring_overwrite.c
index fd8b1c6..3ee23e5 100644
--- a/tools/testing/selftests/net/txring_overwrite.c
+++ b/tools/testing/selftests/net/txring_overwrite.c
@@ -143,19 +143,22 @@ static int read_verify_pkt(int fdr, char payload_char)
 	int ret;
 
 	ret = read(fdr, buf, sizeof(buf));
-	if (ret != sizeof(buf))
-		error(1, errno, "read");
+	if (ret != sizeof(buf)) {
+		//error(1, errno, "read");
+		printf("read error\n");
+		return 1;
+	}
 
 	if (buf[60] != payload_char) {
 		printf("wrong pattern: 0x%x != 0x%x\n", buf[60], payload_char);
 		return 1;
 	}
 
-	printf("read: %c (0x%x)\n", buf[60], buf[60]);
+	//printf("read: %c (0x%x)\n", buf[60], buf[60]);
 	return 0;
 }
 
-int main(int argc, char **argv)
+void run_test(void)
 {
 	const char payload_patterns[] = "ab";
 	char *ring;
@@ -177,3 +180,10 @@ int main(int argc, char **argv)
 
 	return ret;
 }
+
+int main(int argc, char **argv)
+{
+	while (true) {
+		run_test();
+	}
+}
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ