From: Al Viro <viro@ZenIV.linux.org.uk>
To: Jon Maloy <jon.maloy@ericsson.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
David Miller <davem@davemloft.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"bcrl@kvack.org" <bcrl@kvack.org>,
Masahide Nakamura <nakam@linux-ipv6.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Subject: Re: ipv4: Use standard iovec primitive in raw_probe_proto_opt
Date: Fri, 28 Nov 2014 05:14:18 +0000 [thread overview]
Message-ID: <20141128051417.GA9306@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20141106221608.GA7996@ZenIV.linux.org.uk>
On Thu, Nov 06, 2014 at 10:16:08PM +0000, Al Viro wrote:
> On Thu, Nov 06, 2014 at 09:55:31AM +0000, Jon Maloy wrote:
> > > Point, but that might very well be a pattern to watch for - there's at least one
> > > more instance in TIPC (also not exploitable, according to TIPC folks) and such
> >
> > I don't recall this, and I can't see where it would be either. Can you please
> > point to where it is?
>
> The same dest_name_check() thing. This
> if (copy_from_user(&hdr, m->msg_iov[0].iov_base, sizeof(hdr)))
> return -EFAULT;
> if ((ntohs(hdr.tcm_type) & 0xC000) && (!capable(CAP_NET_ADMIN)))
> return -EACCES;
> is easily bypassed. Suppose you want to send a packet with these two
> bits in ->tcm_type not being 00, and you don't have CAP_NET_ADMIN.
> Not a problem - spawn two threads sharing memory, have one trying to
> call sendmsg() while another keeps flipping these two bits. Sooner
> of later you'll get the timing right and have these bits observed as 00
> in dest_name_check() and 11 when it comes to memcpy_fromiovecend() actually
> copying the whole thing. And considering that the interval between those
> two is much longer than the loop in the second thread would take on
> each iteration, I'd expect the odds around 25% per attempted sendmsg().
>
> IOW, this test is either pointless and can be removed completely, or there's
> an exploitable race. As far as I understand from your replies both back then
> and in another branch of this thread, it's the former and the proper fix is
> to remove at least that part of dest_name_check(). So this case is also
> not something exploitable, but it certainly matches the same pattern.
>
> My point was simply that this pattern is worth watching for - recurrent bug
> classes like that have a good chance to spawn an instance that will be
> exploitable.
Ping? Can we simply remove dest_name_check() completely? That's one of the
few remaining obstacles to making ->sendmsg() iov_iter-clean. For now I'm
simply commenting its call out in tipc_sendmsg(); if it _is_ needed for
anything, we'll need to get rid of that double copying from userland. I can
do that, but my impression from your comments back in April is that you
planned to removed the damn check anyway.
Another question: in tipc_send_stream() we have
mtu = tsk->max_pkt;
send = min_t(uint, dsz - sent, TIPC_MAX_USER_MSG_SIZE);
__skb_queue_head_init(&head);
rc = tipc_msg_build(mhdr, m, sent, send, mtu, &head);
if (unlikely(rc < 0))
goto exit;
do {
if (likely(!tsk_conn_cong(tsk))) {
rc = tipc_link_xmit(&head, dnode, ref);
if (likely(!rc)) {
tsk->sent_unacked++;
sent += send;
if (sent == dsz)
break;
goto next;
}
if (rc == -EMSGSIZE) {
tsk->max_pkt = tipc_node_get_mtu(dnode, ref);
goto next;
}
How can it hit that EMSGSIZE? AFAICS, it can come only from
int __tipc_link_xmit(struct tipc_link *link, struct sk_buff_head *list)
{
struct tipc_msg *msg = buf_msg(skb_peek(list));
uint psz = msg_size(msg);
...
uint mtu = link->max_pkt;
...
/* Has valid packet limit been used ? */
if (unlikely(psz > mtu)) {
__skb_queue_purge(list);
return -EMSGSIZE;
}
and msg_size() is basically the bits copied into skb by tipc_msg_build() and
set by msg_set_size() in there. And unless I'm seriously misreading that
function, it can't be more than pktmax argument, i.e. mtu. So unless something
manages to crap into our skb or change mtu right under us, it shouldn't be
possible. And mtu (i.e. ->max_pkt) ought to be protected by lock_sock() there.
What's going on there?
next prev parent reply other threads:[~2014-11-28 5:14 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-02 23:05 fs: Use non-const iov in aio_read/aio_write Herbert Xu
2014-11-03 0:16 ` Al Viro
2014-11-03 0:21 ` Al Viro
2014-11-03 0:22 ` Herbert Xu
2014-11-03 0:45 ` Al Viro
2014-11-03 5:37 ` [0/3] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-03 5:44 ` [PATCH 1/3] tun: Modify const aio_read iovec per do_sock_read Herbert Xu
2014-11-03 5:44 ` [PATCH 3/3] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-03 5:44 ` [PATCH 2/3] macvtap: Modify const aio_read iovec per do_sock_read Herbert Xu
2014-11-03 20:05 ` [0/3] net: Kill skb_copy_datagram_const_iovec David Miller
2014-11-04 3:38 ` Herbert Xu
2014-11-04 8:31 ` [PATCH 1/4] inet: Add skb_copy_datagram_iter Herbert Xu
2014-11-04 14:32 ` Al Viro
2014-11-04 14:35 ` Al Viro
2014-11-04 14:44 ` Herbert Xu
2014-11-04 14:52 ` Al Viro
2014-11-04 14:55 ` Herbert Xu
2014-11-04 14:42 ` Herbert Xu
2014-11-04 15:13 ` Al Viro
2014-11-05 2:22 ` Herbert Xu
2014-11-05 3:27 ` David Miller
2014-11-05 3:55 ` Al Viro
2014-11-05 4:12 ` Al Viro
2014-11-05 20:51 ` David Miller
2014-11-05 20:50 ` David Miller
2014-11-05 21:07 ` Al Viro
2014-11-05 21:57 ` David Miller
2014-11-06 3:25 ` Al Viro
2014-11-06 5:50 ` ipv4: Use standard iovec primitive in raw_probe_proto_opt Herbert Xu
2014-11-06 6:43 ` Al Viro
2014-11-06 6:46 ` Herbert Xu
2014-11-06 7:11 ` Al Viro
2014-11-06 9:55 ` Jon Maloy
2014-11-06 22:16 ` Al Viro
2014-11-28 5:14 ` Al Viro [this message]
2014-11-06 21:28 ` David Miller
2014-11-07 2:00 ` Herbert Xu
2014-11-07 13:25 ` [PATCH 0/2] ipv4: Simplify raw_probe_proto_opt and avoid reading user iov twice Herbert Xu
2014-11-07 13:27 ` [PATCH 1/2] ipv4: Use standard iovec primitive in raw_probe_proto_opt Herbert Xu
2014-11-07 13:27 ` [PATCH 2/2] ipv4: Avoid reading user iov twice after raw_probe_proto_opt Herbert Xu
2014-11-10 19:26 ` [PATCH 0/2] ipv4: Simplify raw_probe_proto_opt and avoid reading user iov twice David Miller
2014-11-06 9:50 ` [PATCH 1/4] inet: Add skb_copy_datagram_iter Jon Maloy
2014-11-07 21:48 ` David Miller
2014-11-07 22:11 ` Al Viro
2014-11-07 22:31 ` Al Viro
2014-11-07 22:35 ` Al Viro
2014-11-07 23:42 ` Al Viro
2014-11-08 2:21 ` Herbert Xu
2014-11-09 21:19 ` Al Viro
2014-11-10 5:20 ` David Miller
2014-11-10 6:58 ` Al Viro
2014-11-10 7:30 ` David Miller
2014-11-10 9:09 ` Al Viro
2014-11-10 16:18 ` David Miller
2014-11-10 10:14 ` Michael S. Tsirkin
2014-11-07 21:52 ` David Miller
2014-11-05 20:24 ` David Miller
2014-11-06 8:23 ` Herbert Xu
2014-11-06 17:25 ` David Miller
2014-11-07 1:59 ` Herbert Xu
2014-11-07 3:13 ` David Miller
2014-11-07 13:21 ` [PATCH 0/4] Replace skb_copy_datagram_const_iovec with iterator version Herbert Xu
2014-11-07 13:22 ` [PATCH 1/4] inet: Add skb_copy_datagram_iter Herbert Xu
2014-11-07 13:22 ` [PATCH 2/4] tun: Use iovec iterators Herbert Xu
2014-11-07 13:22 ` [PATCH 3/4] macvtap: " Herbert Xu
2014-11-07 13:22 ` [PATCH 4/4] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-06 8:27 ` [PATCH 0/4] Replace skb_copy_datagram_const_iovec with iterator version Herbert Xu
2014-11-06 8:28 ` [PATCH 1/4] inet: Add skb_copy_datagram_iter Herbert Xu
2014-11-06 17:30 ` Al Viro
2014-11-07 1:58 ` Herbert Xu
2014-11-06 8:28 ` [PATCH 2/4] tun: Use iovec iterators Herbert Xu
2014-11-06 8:28 ` [PATCH 3/4] macvtap: " Herbert Xu
2014-11-06 17:33 ` Al Viro
2014-11-06 8:28 ` [PATCH 4/4] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-04 8:31 ` [PATCH 2/4] tun: Use iovec iterators Herbert Xu
2014-11-04 8:37 ` Herbert Xu
2014-11-05 2:49 ` YOSHIFUJI Hideaki
2014-11-05 3:41 ` Herbert Xu
2014-11-04 8:31 ` [PATCH 3/4] macvtap: " Herbert Xu
2014-11-04 8:31 ` [PATCH 4/4] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-04 5:45 ` [0/3] " Al Viro
2014-11-05 1:53 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141128051417.GA9306@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=bcrl@kvack.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jon.maloy@ericsson.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nakam@linux-ipv6.org \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).