Re: [Security] TIPC security issues |
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Heh. We apparently have _another_ iovec overflow in networking. This time rds.
Reported by Thomas Pollet <thomas.pollet@xxxxxxxxx>: look at
net/rds/rdma.c around line 490. It doesn't use the regular iovec code,
instead it cooks its own, and has a few problems with overflow.
It gathers the number of pages into an "unsigned int", and for each
entry in its own rds_iovec it will check that the size is < UINT_MAX,
and then generate the number of pages for that entry. With the whole
"unaligned address adds one" logic, it means that each entry can get
(UINT_MAX >> PAGE_SHIFT)+1 pages.
And how many entries can we have? Apparently that is capped to
UINT_MAX too. So add all those up, and they can easily overflow the
unsigned int page counter.
So this time fixing verify_iovec() doesn't help, because rds just
cooks its own, and this is using a totally different interface: it
seems to hook into sendmsg, but it looks like it uses the ancillary
data objects and passes in its own magical iovec rather than use any
"normal" iovec thing. I don't know the code, I may be totally off.
Attached is a half-arsed patch. I say "half-arsed" because I think it
fixes one thing, but I haven't looked at any other use. And quite
frankly, even the one thing it fixes is totally broken: the iovec is
left in user space, so there are all those crazy race-conditions where
another thread in user space can _change_ the rds_iovec after we have
counted the pages, and now the page count is totally wrong.
So the code is just an unmitigated disaster from any standpoint. My
patch - if it works - makes it slightly better. But I'd suggest
disabling RDS in any sane setup.
This was the same subsystem that totally didn't check the user
addresses at all, after all. So there are probably tons of other bugs
lurking.
Btw: patch is totally untested. I haven't even compiled it. So take it
with a pinch of salt.
Linus
From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Subject: net: fix rds_iovec page count overflow
As reported by Thomas Pollet, the rdma page counting can overflow. We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).
So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.
Catch the case of tot_pages turning negative, and return the appropriate
error code.
Reported-by: Thomas Pollet <thomas.pollet@xxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
---
net/rds/rdma.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 1a41deb..0df02c8 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -502,6 +502,13 @@ static int rds_rdma_pages(struct rds_rdma_args *args)
return -EINVAL;
tot_pages += nr_pages;
+
+ /*
+ * nr_pages for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1,
+ * so tot_pages cannot overflow without first going negative.
+ */
+ if ((int)tot_pages < 0)
+ return -EINVAL;
}
return tot_pages;
[Linux Kernel Discussion]
[Ethernet Bridging]
[Linux Wireless Networking]
[Linux Bluetooth Networking]
[Linux Networking Users]
[VLAN]
[Git]
[IETF Annouce]
[Linux Assembly]
[Security]
[Bugtraq]
[Photo]
[Singles Social Networking]
[Yosemite Information]
[MIPS Linux]
[ARM Linux Kernel]
[ARM Linux]
[Linux Virtualization]
[Linux Security]
[Linux IDE]
[Linux RAID]
[Linux SCSI]
[Free Dating]
