tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
svn path=/dists/sid/linux-2.6/; revision=15590
This commit is contained in:
parent
c4545e34e5
commit
f1cefb0bfa
|
@ -65,6 +65,7 @@ linux-2.6 (2.6.32-12) UNRELEASED; urgency=low
|
|||
* sctp: Fix skb_over_panic resulting from multiple invalid parameter
|
||||
errors (CVE-2010-1173)
|
||||
* [CIFS] Allow null nd (as nfs server uses) on create (CVE-2010-1148)
|
||||
* tipc: Fix oops on send prior to entering networked mode (CVE-2010-1187)
|
||||
|
||||
[ Aurelien Jarno ]
|
||||
* [sh4] Add a sh7751r flavour.
|
||||
|
|
209
debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
vendored
Normal file
209
debian/patches/bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
vendored
Normal file
|
@ -0,0 +1,209 @@
|
|||
commit d0021b252eaf65ca07ed14f0d66425dd9ccab9a6
|
||||
Author: Neil Horman <nhorman@tuxdriver.com>
|
||||
Date: Wed Mar 3 08:31:23 2010 +0000
|
||||
|
||||
tipc: Fix oops on send prior to entering networked mode (v3)
|
||||
|
||||
Fix TIPC to disallow sending to remote addresses prior to entering NET_MODE
|
||||
|
||||
user programs can oops the kernel by sending datagrams via AF_TIPC prior to
|
||||
entering networked mode. The following backtrace has been observed:
|
||||
|
||||
ID: 13459 TASK: ffff810014640040 CPU: 0 COMMAND: "tipc-client"
|
||||
[exception RIP: tipc_node_select_next_hop+90]
|
||||
RIP: ffffffff8869d3c3 RSP: ffff81002d9a5ab8 RFLAGS: 00010202
|
||||
RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000000001
|
||||
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000001001001
|
||||
RBP: 0000000001001001 R8: 0074736575716552 R9: 0000000000000000
|
||||
R10: ffff81003fbd0680 R11: 00000000000000c8 R12: 0000000000000008
|
||||
R13: 0000000000000001 R14: 0000000000000001 R15: ffff810015c6ca00
|
||||
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
|
||||
RIP: 0000003cbd8d49a3 RSP: 00007fffc84e0be8 RFLAGS: 00010206
|
||||
RAX: 000000000000002c RBX: ffffffff8005d116 RCX: 0000000000000000
|
||||
RDX: 0000000000000008 RSI: 00007fffc84e0c00 RDI: 0000000000000003
|
||||
RBP: 0000000000000000 R8: 00007fffc84e0c10 R9: 0000000000000010
|
||||
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
|
||||
R13: 00007fffc84e0d10 R14: 0000000000000000 R15: 00007fffc84e0c30
|
||||
ORIG_RAX: 000000000000002c CS: 0033 SS: 002b
|
||||
|
||||
What happens is that, when the tipc module in inserted it enters a standalone
|
||||
node mode in which communication to its own address is allowed <0.0.0> but not
|
||||
to other addresses, since the appropriate data structures have not been
|
||||
allocated yet (specifically the tipc_net pointer). There is nothing stopping a
|
||||
client from trying to send such a message however, and if that happens, we
|
||||
attempt to dereference tipc_net.zones while the pointer is still NULL, and
|
||||
explode. The fix is pretty straightforward. Since these oopses all arise from
|
||||
the dereference of global pointers prior to their assignment to allocated
|
||||
values, and since these allocations are small (about 2k total), lets convert
|
||||
these pointers to static arrays of the appropriate size. All the accesses to
|
||||
these bits consider 0/NULL to be a non match when searching, so all the lookups
|
||||
still work properly, and there is no longer a chance of a bad dererence
|
||||
anywhere. As a bonus, this lets us eliminate the setup/teardown routines for
|
||||
those pointers, and elimnates the need to preform any locking around them to
|
||||
prevent access while their being allocated/freed.
|
||||
|
||||
I've updated the tipc_net structure to behave this way to fix the exact reported
|
||||
problem, and also fixed up the tipc_bearers and media_list arrays to fix an
|
||||
obvious simmilar problem that arises from issuing tipc-config commands to
|
||||
manipulate bearers/links prior to entering networked mode
|
||||
|
||||
I've tested this for a few hours by running the sanity tests and stress test
|
||||
with the tipcutils suite, and nothing has fallen over. There have been a few
|
||||
lockdep warnings, but those were there before, and can be addressed later, as
|
||||
they didn't actually result in any deadlock.
|
||||
|
||||
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
|
||||
CC: Allan Stephens <allan.stephens@windriver.com>
|
||||
CC: David S. Miller <davem@davemloft.net>
|
||||
CC: tipc-discussion@lists.sourceforge.net
|
||||
|
||||
bearer.c | 37 ++++++-------------------------------
|
||||
bearer.h | 2 +-
|
||||
net.c | 25 ++++---------------------
|
||||
3 files changed, 11 insertions(+), 53 deletions(-)
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
|
||||
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
|
||||
index 327011f..7809137 100644
|
||||
--- a/net/tipc/bearer.c
|
||||
+++ b/net/tipc/bearer.c
|
||||
@@ -45,10 +45,10 @@
|
||||
|
||||
#define MAX_ADDR_STR 32
|
||||
|
||||
-static struct media *media_list = NULL;
|
||||
+static struct media media_list[MAX_MEDIA];
|
||||
static u32 media_count = 0;
|
||||
|
||||
-struct bearer *tipc_bearers = NULL;
|
||||
+struct bearer tipc_bearers[MAX_BEARERS];
|
||||
|
||||
/**
|
||||
* media_name_valid - validate media name
|
||||
@@ -108,9 +108,11 @@ int tipc_register_media(u32 media_type,
|
||||
int res = -EINVAL;
|
||||
|
||||
write_lock_bh(&tipc_net_lock);
|
||||
- if (!media_list)
|
||||
- goto exit;
|
||||
|
||||
+ if (tipc_mode != TIPC_NET_MODE) {
|
||||
+ warn("Media <%s> rejected, not in networked mode yet\n", name);
|
||||
+ goto exit;
|
||||
+ }
|
||||
if (!media_name_valid(name)) {
|
||||
warn("Media <%s> rejected, illegal name\n", name);
|
||||
goto exit;
|
||||
@@ -660,33 +662,10 @@ int tipc_disable_bearer(const char *name)
|
||||
|
||||
|
||||
|
||||
-int tipc_bearer_init(void)
|
||||
-{
|
||||
- int res;
|
||||
-
|
||||
- write_lock_bh(&tipc_net_lock);
|
||||
- tipc_bearers = kcalloc(MAX_BEARERS, sizeof(struct bearer), GFP_ATOMIC);
|
||||
- media_list = kcalloc(MAX_MEDIA, sizeof(struct media), GFP_ATOMIC);
|
||||
- if (tipc_bearers && media_list) {
|
||||
- res = 0;
|
||||
- } else {
|
||||
- kfree(tipc_bearers);
|
||||
- kfree(media_list);
|
||||
- tipc_bearers = NULL;
|
||||
- media_list = NULL;
|
||||
- res = -ENOMEM;
|
||||
- }
|
||||
- write_unlock_bh(&tipc_net_lock);
|
||||
- return res;
|
||||
-}
|
||||
-
|
||||
void tipc_bearer_stop(void)
|
||||
{
|
||||
u32 i;
|
||||
|
||||
- if (!tipc_bearers)
|
||||
- return;
|
||||
-
|
||||
for (i = 0; i < MAX_BEARERS; i++) {
|
||||
if (tipc_bearers[i].active)
|
||||
tipc_bearers[i].publ.blocked = 1;
|
||||
@@ -695,10 +674,6 @@ void tipc_bearer_stop(void)
|
||||
if (tipc_bearers[i].active)
|
||||
bearer_disable(tipc_bearers[i].publ.name);
|
||||
}
|
||||
- kfree(tipc_bearers);
|
||||
- kfree(media_list);
|
||||
- tipc_bearers = NULL;
|
||||
- media_list = NULL;
|
||||
media_count = 0;
|
||||
}
|
||||
|
||||
diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
|
||||
index ca57348..000228e 100644
|
||||
--- a/net/tipc/bearer.h
|
||||
+++ b/net/tipc/bearer.h
|
||||
@@ -114,7 +114,7 @@ struct bearer_name {
|
||||
|
||||
struct link;
|
||||
|
||||
-extern struct bearer *tipc_bearers;
|
||||
+extern struct bearer tipc_bearers[];
|
||||
|
||||
void tipc_media_addr_printf(struct print_buf *pb, struct tipc_media_addr *a);
|
||||
struct sk_buff *tipc_media_get_names(void);
|
||||
diff --git a/net/tipc/net.c b/net/tipc/net.c
|
||||
index 7906608..f25b1cd 100644
|
||||
--- a/net/tipc/net.c
|
||||
+++ b/net/tipc/net.c
|
||||
@@ -116,7 +116,8 @@
|
||||
*/
|
||||
|
||||
DEFINE_RWLOCK(tipc_net_lock);
|
||||
-struct network tipc_net = { NULL };
|
||||
+struct _zone *tipc_zones[256] = { NULL, };
|
||||
+struct network tipc_net = { tipc_zones };
|
||||
|
||||
struct tipc_node *tipc_net_select_remote_node(u32 addr, u32 ref)
|
||||
{
|
||||
@@ -158,28 +159,12 @@ void tipc_net_send_external_routes(u32 dest)
|
||||
}
|
||||
}
|
||||
|
||||
-static int net_init(void)
|
||||
-{
|
||||
- memset(&tipc_net, 0, sizeof(tipc_net));
|
||||
- tipc_net.zones = kcalloc(tipc_max_zones + 1, sizeof(struct _zone *), GFP_ATOMIC);
|
||||
- if (!tipc_net.zones) {
|
||||
- return -ENOMEM;
|
||||
- }
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
static void net_stop(void)
|
||||
{
|
||||
u32 z_num;
|
||||
|
||||
- if (!tipc_net.zones)
|
||||
- return;
|
||||
-
|
||||
- for (z_num = 1; z_num <= tipc_max_zones; z_num++) {
|
||||
+ for (z_num = 1; z_num <= tipc_max_zones; z_num++)
|
||||
tipc_zone_delete(tipc_net.zones[z_num]);
|
||||
- }
|
||||
- kfree(tipc_net.zones);
|
||||
- tipc_net.zones = NULL;
|
||||
}
|
||||
|
||||
static void net_route_named_msg(struct sk_buff *buf)
|
||||
@@ -282,9 +267,7 @@ int tipc_net_start(u32 addr)
|
||||
tipc_named_reinit();
|
||||
tipc_port_reinit();
|
||||
|
||||
- if ((res = tipc_bearer_init()) ||
|
||||
- (res = net_init()) ||
|
||||
- (res = tipc_cltr_init()) ||
|
||||
+ if ((res = tipc_cltr_init()) ||
|
||||
(res = tipc_bclink_init())) {
|
||||
return res;
|
||||
}
|
|
@ -61,3 +61,4 @@
|
|||
+ bugfix/all/virtio_net-Make-delayed-refill-more-reliable.patch
|
||||
+ bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch
|
||||
+ bugfix/all/cifs-allow-null-nd-on-create.patch
|
||||
+ bugfix/all/tipc-fix-oops-on-send-prior-to-entering-networked-mode.patch
|
||||
|
|
Loading…
Reference in New Issue