lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0ee86d6d80c08f6dce6422503b247a253fa75874.camel@codeconstruct.com.au>
Date: Sat, 07 Jun 2025 15:10:49 +0800
From: Jeremy Kerr <jk@...econstruct.com.au>
To: Patrick Williams <patrick@...cx.xyz>, Matt Johnston
 <matt@...econstruct.com.au>, "David S. Miller" <davem@...emloft.net>, Eric
 Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo
 Abeni <pabeni@...hat.com>,  Simon Horman <horms@...nel.org>, Kuniyuki
 Iwashima <kuniyu@...zon.com>, Peter Yin <peteryin.openbmc@...il.com>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: mctp: fix infinite data from mctp_dump_addrinfo

Hi Patrick,

[+CC Peter Yin, who has reported a similar thing]

Thanks for the report and patch. I've been staring at the
for_each_netdev_dump() behaviour, and I'm not (yet) certain that the fix
is sufficient:

> When all the addresses for an interface has been sent, the code reset
> the address to zero and relies on `for_each_netdev_dump` for
> incrementing the index.  However, `for_each_netdev_dump` (which is
> using `xa_for_each_start`) does not set the index for the last
> entry[1].

but that still seems to be acceptable:

 - if entry there is null (and so we're not updating *indexp), then
   xa_find() will be returning NULL

 - if xa_find returns NULL, we're not iterating the for-loop

 - therefore the original indexp value is sufficient to act as the
   loop terminator

If an xa_find() of the index *does* yield a device, we'll increment
index as part of the for_each_netdev_dump() macro (unless we're still
working through the address array, in which case we do want to use the
same index at the next call).

FWIW, I'm not able to reproduce the issue here on v6.15, even when
forcing various combinations of netlink-message splits, but we do have
other reports of it happening. Are you able to share a trace of the
recvfrom() calls for `mctp addr`? That may help to understand the
breakage.

So, it seems like there's something more subtle happening here - or I
have misunderstood something about the fix (I'm unsure of the reference
to xa_for_each_start; for_each_netdev_dump only calls xa_start?). I'll
continue with the debug and update shortly.

Cheers,


Jeremy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ