Re: [stable] [BUG] net: fix /proc/net/snmp as memory corruptor

Re: [stable] [BUG] net: fix /proc/net/snmp as memory corruptor

[Greg KH]

On Fri, Nov 14, 2008 at 06:08:48AM +0100, Eric Dumazet wrote:
> Hello Greg
> 
> A patch was submited about /proc/net/snmp being a memory corruptor and not SMP safe
> 
> (commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8)
> 
> These bugs are present on 2.6.26 & 2.6.27.

I looking at this, it doesn't seem to apply at all to the .27 tree.  If
David doesn't object, care to backport it there and send it to
stable@kernel.org?

thanks,

greg k-h

Re: [stable] [BUG] net: fix /proc/net/snmp as memory corruptor

[Eric Dumazet]

Greg KH a écrit :
> On Fri, Nov 14, 2008 at 06:08:48AM +0100, Eric Dumazet wrote:
>> Hello Greg
>>
>> A patch was submited about /proc/net/snmp being a memory corruptor and not SMP safe
>>
>> (commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8)
>>
>> These bugs are present on 2.6.26 & 2.6.27.
> 
> I looking at this, it doesn't seem to apply at all to the .27 tree.  If
> David doesn't object, care to backport it there and send it to
> stable@kernel.org?
> 

Strange... I just tried to apply patch on top of a fresh linux-2.6.27.6 tree and got no error

# patch -p1 < /tmp/icmp_snmp.patch
patching file net/ipv4/proc.c
#

Re: [stable] [BUG] net: fix /proc/net/snmp as memory corruptor

[Greg KH]

[-- Attachment #1: Type: text/plain, Size: 1009 bytes --]

On Sat, Nov 15, 2008 at 06:25:33AM +0100, Eric Dumazet wrote:
> Greg KH a écrit :
>> On Fri, Nov 14, 2008 at 06:08:48AM +0100, Eric Dumazet wrote:
>>> Hello Greg
>>>
>>> A patch was submited about /proc/net/snmp being a memory corruptor and 
>>> not SMP safe
>>>
>>> (commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8)
>>>
>>> These bugs are present on 2.6.26 & 2.6.27.
>> I looking at this, it doesn't seem to apply at all to the .27 tree.  If
>> David doesn't object, care to backport it there and send it to
>> stable@kernel.org?
>
> Strange... I just tried to apply patch on top of a fresh linux-2.6.27.6 
> tree and got no error
>
> # patch -p1 < /tmp/icmp_snmp.patch
> patching file net/ipv4/proc.c
> #

I've attached the patch I tried to apply below.  It fails with:
	$ patch -p1 --dry-run < ../net-fix-proc-net-snmp-as-memory-corruptor.patch 
	patching file net/ipv4/proc.c
	Hunk #1 FAILED at 237.
	1 out of 1 hunk FAILED -- saving rejects to file net/ipv4/proc.c.rej


Any thoughts?

thanks,

greg k-h

[-- Attachment #2: net-fix-proc-net-snmp-as-memory-corruptor.patch --]
[-- Type: text/plain, Size: 2638 bytes --]

>From b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <dada1@cosmosbay.com>
Date: Mon, 10 Nov 2008 21:43:08 -0800
Subject: net: fix /proc/net/snmp as memory corruptor

From: Eric Dumazet <dada1@cosmosbay.com>

commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8 upstream.

icmpmsg_put() can happily corrupt kernel memory, using a static
table and forgetting to reset an array index in a loop.

Remove the static array since its not safe without proper locking.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -237,43 +237,45 @@ static const struct snmp_mib snmp4_net_list[] = {
 	SNMP_MIB_SENTINEL
 };
 
+static void icmpmsg_put_line(struct seq_file *seq, unsigned long *vals,
+			     unsigned short *type, int count)
+{
+	int j;
+
+	if (count) {
+		seq_printf(seq, "nIcmpMsg:");
+		for (j = 0; j < count; ++j)
+			seq_printf(seq, " %sType%u",
+				type[j] & 0x100 ? "Out" : "In",
+				type[j] & 0xff);
+		seq_printf(seq, "nIcmpMsg:");
+		for (j = 0; j < count; ++j)
+			seq_printf(seq, " %lu", vals[j]);
+	}
+}
+
 static void icmpmsg_put(struct seq_file *seq)
 {
 #define PERLINE	16
 
-	int j, i, count;
-	static int out[PERLINE];
+	int i, count;
+	unsigned short type[PERLINE];
+	unsigned long vals[PERLINE], val;
 	struct net *net = seq->private;
 
 	count = 0;
 	for (i = 0; i < ICMPMSG_MIB_MAX; i++) {
-
-		if (snmp_fold_field((void **) net->mib.icmpmsg_statistics, i))
-			out[count++] = i;
-		if (count < PERLINE)
-			continue;
-
-		seq_printf(seq, "nIcmpMsg:");
-		for (j = 0; j < PERLINE; ++j)
-			seq_printf(seq, " %sType%u", i & 0x100 ? "Out" : "In",
-					i & 0xff);
-		seq_printf(seq, "nIcmpMsg: ");
-		for (j = 0; j < PERLINE; ++j)
-			seq_printf(seq, " %lu",
-				snmp_fold_field((void **) net->mib.icmpmsg_statistics,
-				out[j]));
-		seq_putc(seq, 'n');
-	}
-	if (count) {
-		seq_printf(seq, "nIcmpMsg:");
-		for (j = 0; j < count; ++j)
-			seq_printf(seq, " %sType%u", out[j] & 0x100 ? "Out" 
-				"In", out[j] & 0xff);
-		seq_printf(seq, "nIcmpMsg:");
-		for (j = 0; j < count; ++j)
-			seq_printf(seq, " %lu", snmp_fold_field((void **)
-				net->mib.icmpmsg_statistics, out[j]));
+		val = snmp_fold_field((void **) net->mib.icmpmsg_statistics, i);
+		if (val) {
+			type[count] = i;
+			vals[count++] = val;
+		}
+		if (count == PERLINE) {
+			icmpmsg_put_line(seq, vals, type, count);
+			count = 0;
+		}
 	}
+	icmpmsg_put_line(seq, vals, type, count);
 
 #undef PERLINE
 }

Re: [stable] [BUG] net: fix /proc/net/snmp as memory corruptor

[Eric Dumazet]

[-- Attachment #1: Type: text/plain, Size: 1291 bytes --]

Greg KH a écrit :
> On Sat, Nov 15, 2008 at 06:25:33AM +0100, Eric Dumazet wrote:
>> Greg KH a écrit :
>>> On Fri, Nov 14, 2008 at 06:08:48AM +0100, Eric Dumazet wrote:
>>>> Hello Greg
>>>>
>>>> A patch was submited about /proc/net/snmp being a memory corruptor and 
>>>> not SMP safe
>>>>
>>>> (commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8)
>>>>
>>>> These bugs are present on 2.6.26 & 2.6.27.
>>> I looking at this, it doesn't seem to apply at all to the .27 tree.  If
>>> David doesn't object, care to backport it there and send it to
>>> stable@kernel.org?
>> Strange... I just tried to apply patch on top of a fresh linux-2.6.27.6 
>> tree and got no error
>>
>> # patch -p1 < /tmp/icmp_snmp.patch
>> patching file net/ipv4/proc.c
>> #
> 
> I've attached the patch I tried to apply below.  It fails with:
> 	$ patch -p1 --dry-run < ../net-fix-proc-net-snmp-as-memory-corruptor.patch 
> 	patching file net/ipv4/proc.c
> 	Hunk #1 FAILED at 237.
> 	1 out of 1 hunk FAILED -- saving rejects to file net/ipv4/proc.c.rej
> 
> 
> Any thoughts?
> 
> thanks,
> 
> greg k-h
> 

Yes, you lost all the '\' character in "\n" sequences... 
Also one missing ":" at the end of one line

I dont know how you did it :)

Here is the (manually) corrected file 

[-- Attachment #2: p.patch --]
[-- Type: text/plain, Size: 2574 bytes --]

From: Eric Dumazet <dada1@cosmosbay.com>
Date: Mon, 10 Nov 2008 21:43:08 -0800
Subject: net: fix /proc/net/snmp as memory corruptor

From: Eric Dumazet <dada1@cosmosbay.com>

commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8 upstream.

icmpmsg_put() can happily corrupt kernel memory, using a static
table and forgetting to reset an array index in a loop.

Remove the static array since its not safe without proper locking.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -237,43 +237,45 @@ static const struct snmp_mib snmp4_net_list[] = {
 	SNMP_MIB_SENTINEL
 };
 
+static void icmpmsg_put_line(struct seq_file *seq, unsigned long *vals,
+			     unsigned short *type, int count)
+{
+	int j;
+
+	if (count) {
+		seq_printf(seq, "\nIcmpMsg:");
+		for (j = 0; j < count; ++j)
+			seq_printf(seq, " %sType%u",
+				type[j] & 0x100 ? "Out" : "In",
+				type[j] & 0xff);
+		seq_printf(seq, "\nIcmpMsg:");
+		for (j = 0; j < count; ++j)
+			seq_printf(seq, " %lu", vals[j]);
+	}
+}
+
 static void icmpmsg_put(struct seq_file *seq)
 {
 #define PERLINE	16
 
-	int j, i, count;
-	static int out[PERLINE];
+	int i, count;
+	unsigned short type[PERLINE];
+	unsigned long vals[PERLINE], val;
 	struct net *net = seq->private;
 
 	count = 0;
 	for (i = 0; i < ICMPMSG_MIB_MAX; i++) {
-
-		if (snmp_fold_field((void **) net->mib.icmpmsg_statistics, i))
-			out[count++] = i;
-		if (count < PERLINE)
-			continue;
-
-		seq_printf(seq, "\nIcmpMsg:");
-		for (j = 0; j < PERLINE; ++j)
-			seq_printf(seq, " %sType%u", i & 0x100 ? "Out" : "In",
-					i & 0xff);
-		seq_printf(seq, "\nIcmpMsg: ");
-		for (j = 0; j < PERLINE; ++j)
-			seq_printf(seq, " %lu",
-				snmp_fold_field((void **) net->mib.icmpmsg_statistics,
-				out[j]));
-		seq_putc(seq, '\n');
-	}
-	if (count) {
-		seq_printf(seq, "\nIcmpMsg:");
-		for (j = 0; j < count; ++j)
-			seq_printf(seq, " %sType%u", out[j] & 0x100 ? "Out" :
-				"In", out[j] & 0xff);
-		seq_printf(seq, "\nIcmpMsg:");
-		for (j = 0; j < count; ++j)
-			seq_printf(seq, " %lu", snmp_fold_field((void **)
-				net->mib.icmpmsg_statistics, out[j]));
+		val = snmp_fold_field((void **) net->mib.icmpmsg_statistics, i);
+		if (val) {
+			type[count] = i;
+			vals[count++] = val;
+		}
+		if (count == PERLINE) {
+			icmpmsg_put_line(seq, vals, type, count);
+			count = 0;
+		}
 	}
+	icmpmsg_put_line(seq, vals, type, count);
 
 #undef PERLINE
 }

Re: [stable] [BUG] net: fix /proc/net/snmp as memory corruptor

[Greg KH]

On Sat, Nov 15, 2008 at 09:37:27AM +0100, Eric Dumazet wrote:
> Greg KH a écrit :
>> On Sat, Nov 15, 2008 at 06:25:33AM +0100, Eric Dumazet wrote:
>>> Greg KH a écrit :
>>>> On Fri, Nov 14, 2008 at 06:08:48AM +0100, Eric Dumazet wrote:
>>>>> Hello Greg
>>>>>
>>>>> A patch was submited about /proc/net/snmp being a memory corruptor and 
>>>>> not SMP safe
>>>>>
>>>>> (commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8)
>>>>>
>>>>> These bugs are present on 2.6.26 & 2.6.27.
>>>> I looking at this, it doesn't seem to apply at all to the .27 tree.  If
>>>> David doesn't object, care to backport it there and send it to
>>>> stable@kernel.org?
>>> Strange... I just tried to apply patch on top of a fresh linux-2.6.27.6 
>>> tree and got no error
>>>
>>> # patch -p1 < /tmp/icmp_snmp.patch
>>> patching file net/ipv4/proc.c
>>> #
>> I've attached the patch I tried to apply below.  It fails with:
>> 	$ patch -p1 --dry-run < 
>> ../net-fix-proc-net-snmp-as-memory-corruptor.patch 	patching file 
>> net/ipv4/proc.c
>> 	Hunk #1 FAILED at 237.
>> 	1 out of 1 hunk FAILED -- saving rejects to file net/ipv4/proc.c.rej
>> Any thoughts?
>> thanks,
>> greg k-h
>
> Yes, you lost all the '\' character in "\n" sequences... Also one missing 
> ":" at the end of one line
>
> I dont know how you did it :)

Oh crap, that's my fault.  I hate bash at times, I'm using a script to
copy changesets and format them in the way that works for the stable
tree.  I need to switch it to perl so these things don't happen :(

In looking closer, I also messed up on some other patches in this -rc1,
I need to redo the whole thing.  Ugh.

Thanks for pointing this out, I'll fix it up.

greg k-h

Re: [stable] [BUG] net: fix /proc/net/snmp as memory corruptor

[Greg KH]

On Sat, Nov 15, 2008 at 10:43:09AM -0800, Greg KH wrote:
> On Sat, Nov 15, 2008 at 09:37:27AM +0100, Eric Dumazet wrote:
> > Greg KH a écrit :
> >> On Sat, Nov 15, 2008 at 06:25:33AM +0100, Eric Dumazet wrote:
> >>> Greg KH a écrit :
> >>>> On Fri, Nov 14, 2008 at 06:08:48AM +0100, Eric Dumazet wrote:
> >>>>> Hello Greg
> >>>>>
> >>>>> A patch was submited about /proc/net/snmp being a memory corruptor and 
> >>>>> not SMP safe
> >>>>>
> >>>>> (commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8)
> >>>>>
> >>>>> These bugs are present on 2.6.26 & 2.6.27.
> >>>> I looking at this, it doesn't seem to apply at all to the .27 tree.  If
> >>>> David doesn't object, care to backport it there and send it to
> >>>> stable@kernel.org?
> >>> Strange... I just tried to apply patch on top of a fresh linux-2.6.27.6 
> >>> tree and got no error
> >>>
> >>> # patch -p1 < /tmp/icmp_snmp.patch
> >>> patching file net/ipv4/proc.c
> >>> #
> >> I've attached the patch I tried to apply below.  It fails with:
> >> 	$ patch -p1 --dry-run < 
> >> ../net-fix-proc-net-snmp-as-memory-corruptor.patch 	patching file 
> >> net/ipv4/proc.c
> >> 	Hunk #1 FAILED at 237.
> >> 	1 out of 1 hunk FAILED -- saving rejects to file net/ipv4/proc.c.rej
> >> Any thoughts?
> >> thanks,
> >> greg k-h
> >
> > Yes, you lost all the '\' character in "\n" sequences... Also one missing 
> > ":" at the end of one line
> >
> > I dont know how you did it :)
> 
> Oh crap, that's my fault.  I hate bash at times, I'm using a script to
> copy changesets and format them in the way that works for the stable
> tree.  I need to switch it to perl so these things don't happen :(
> 
> In looking closer, I also messed up on some other patches in this -rc1,
> I need to redo the whole thing.  Ugh.
> 
> Thanks for pointing this out, I'll fix it up.

Ok, I've now added it, thanks for being patient and helping me find my
problem.

greg k-h

Re: [stable] [BUG] net: fix /proc/net/snmp as memory corruptor

[Eric Dumazet]

Greg KH a écrit :
> 
> Ok, I've now added it, thanks for being patient and helping me find my
> problem.
> 

You are very welcome Greg, you are doing a fantastic job !

Re: [stable] [BUG] net: fix /proc/net/snmp as memory corruptor

[David Miller]

From: Greg KH <greg@kroah.com>
Date: Fri, 14 Nov 2008 21:10:15 -0800

> On Fri, Nov 14, 2008 at 06:08:48AM +0100, Eric Dumazet wrote:
> > Hello Greg
> > 
> > A patch was submited about /proc/net/snmp being a memory corruptor and not SMP safe
> > 
> > (commit b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8)
> > 
> > These bugs are present on 2.6.26 & 2.6.27.
> 
> I looking at this, it doesn't seem to apply at all to the .27 tree.  If
> David doesn't object, care to backport it there and send it to
> stable@kernel.org?

No objection.