Re: [BUG] icmpv6fuzz creates bad paging request

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Ilpo Järvinen" <ilpo.jarvinen@helsinki.fi>
To: Eric Sesterhenn <snakebyte@gmx.de>
Cc: Netdev <netdev@vger.kernel.org>,
	David Miller <davem@davemloft.net>,
	yoshfuji@linux-ipv6.org
Subject: Re: [BUG] icmpv6fuzz creates bad paging request
Date: Fri, 2 Jan 2009 10:53:18 +0200 (EET)	[thread overview]
Message-ID: <Pine.LNX.4.64.0901021040050.6207@wrl-59.cs.helsinki.fi> (raw)
In-Reply-To: <20090101201304.GA6698@alice>

[-- Attachment #1: Type: TEXT/PLAIN, Size: 3055 bytes --]

On Thu, 1 Jan 2009, Eric Sesterhenn wrote:

> Hi,
> 
> running "icmpv6fuzz -r 2187" gives me the following oops with current -git
> 
> 
> [ 4320.851654] BUG: unable to handle kernel paging request at c9527000
> [ 4320.851749] IP: [<c04e5668>] __copy_from_user_ll+0x8c/0xd8
> [ 4320.851898] *pde = 0001f067 *pte = 09527160 
> [ 4320.851977] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
> [ 4320.852011] last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/resource
> [ 4320.852011] Modules linked in:
> [ 4320.852011] 
> [ 4320.852011] Pid: 5065, comm: icmpv6fuzz Tainted: G        W  (2.6.28-04928-g6a94cb7 #152) System Name
> [ 4320.852011] EIP: 0060:[<c04e5668>] EFLAGS: 00010202 CPU: 0
> [ 4320.852011] EIP is at __copy_from_user_ll+0x8c/0xd8
> [ 4320.852011] EAX: 00000000 EBX: 4b17b3d7 ECX: 4b1782d7 EDX: 00000000
> [ 4320.852011] ESI: 097d5f24 EDI: c9526fc8 EBP: c9523da0 ESP: c9523d98
> [ 4320.852011]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> [ 4320.852011] Process icmpv6fuzz (pid: 5065, ti=c9523000 task=cee15b00 task.ti=c9523000)
> [ 4320.852011] Stack:
> [ 4320.852011]  c9523ec8 097d2e24 c9523db4 c04e5907 00000000 c9523ec8 cee431fc c9523f1c
> [ 4320.852011]  c06fd4db 00000032 cee42f00 00000000 cee15b00 00000002 00000000 00000000
> [ 4320.852011]  c951ea64 cee15b00 00000002 00000000 00000000 c951ea64 cee15b00 00000246
> [ 4320.852011] Call Trace:
> [ 4320.852011]  [<c04e5907>] ? copy_from_user+0x36/0x59
> [ 4320.852011]  [<c06fd4db>] ? ipv6_setsockopt+0x4ed/0xb8e
> [ 4320.852011]  [<c017c674>] ? might_fault+0x42/0x7e
> [ 4320.852011]  [<c04e5b25>] ? copy_to_user+0x38/0x43
> [ 4320.852011]  [<c01421d1>] ? print_lock_contention_bug+0x11/0xb2
> [ 4320.852011]  [<c0143f37>] ? trace_hardirqs_on+0xb/0xd
> [ 4320.852011] Code: 1c 8b 46 20 8b 56 24 89 47 20 89 57 24 8b 46 28 8b 56 2c 89 47 28 89 57 2c 8b 46 30 8b 56 34 89 47 30 89 57 34 8b 46 38 8b 56 3c <89> 47 38 89 57 3c 83 c1 c0 83 c6 40 83 c7 40 83 f9 3f 77 88 89 
> [ 4320.852011] EIP: [<c04e5668>] __copy_from_user_ll+0x8c/0xd8 SS:ESP 0068:c9523d98
> [ 4320.852011] ---[ end trace 4eaa2a86a8e2da22 ]---

Can you try the patch below.

I wonder btw what's the correct policy wrt. those optval == NULL checks 
that's visible in the patch' context (IPV6_PKTINFO is the only one which
is doing that while many there fetch to sizeof(struct something)).

-- 
 i.

[PATCH] ipv6: IPV6_PKTINFO relied userspace providing correct length

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Reported-by: Eric Sesterhenn <snakebyte@gmx.de>
---
 net/ipv6/ipv6_sockglue.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 0069b7e..d31df0f 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -403,7 +403,7 @@ sticky_done:
 		else if (optlen < sizeof(struct in6_pktinfo) || optval == NULL)
 			goto e_inval;
 
-		if (copy_from_user(&pkt, optval, optlen)) {
+		if (copy_from_user(&pkt, optval, sizeof(struct in6_pktinfo))) {
 				retv = -EFAULT;
 				break;
 		}
-- 
1.5.2.2

next prev parent reply	other threads:[~2009-01-02  8:53 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-01 20:13 [BUG] icmpv6fuzz creates bad paging request Eric Sesterhenn
2009-01-02  8:53 ` Ilpo Järvinen [this message]
2009-01-02  9:05   ` Herbert Xu
2009-01-05  1:28     ` David Miller
2009-01-02 10:28   ` Eric Sesterhenn
2009-01-02  8:59 ` Herbert Xu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0069b7e dfblob:d31df0f )
 OR (
bs:"Re: [BUG] icmpv6fuzz creates bad paging request" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.64.0901021040050.6207@wrl-59.cs.helsinki.fi \
    --to=ilpo.jarvinen@helsinki.fi \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=snakebyte@gmx.de \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).