linux-stable.git/net/packet, branch linux-2.6.32.y Linux kernel stable tree net: rework recvmsg handler msg_name and msg_namelen logic 2014-05-19T05:54:00+00:00 Hannes Frederic Sowa hannes@stressinduktion.org 2013-11-21T02:14:22+00:00 4485f23cb4c08b21f0a4434a65c8adf0026d589a CVE-2013-7266 BugLink: http://bugs.launchpad.net/bugs/1267081 This patch now always passes msg->msg_namelen as 0. recvmsg handlers must set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) to return msg_name to the user. This prevents numerous uninitialized memory leaks we had in the recvmsg handlers and makes it harder for new code to accidentally leak uninitialized memory. Optimize for the case recvfrom is called with NULL as address. We don't need to copy the address at all, so set it to NULL before invoking the recvmsg handler. We can do so, because all the recvmsg handlers must cope with the case a plain read() is called on them. read() also sets msg_name to NULL. Also document these changes in include/linux/net.h as suggested by David Miller. Changes since RFC: Set msg->msg_name = NULL if user specified a NULL in msg_name but had a non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't affect sendto as it would bail out earlier while trying to copy-in the address. It also more naturally reflects the logic by the callers of verify_iovec. With this change in place I could remove " if (!uaddr || msg_sys->msg_namelen == 0) msg->msg_name = NULL ". This change does not alter the user visible error logic as we ignore msg_namelen as long as msg_name is NULL. Also remove two unnecessary curly brackets in ___sys_recvmsg and change comments to netdev style. Cc: David Miller <davem@davemloft.net> Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> (back ported from commit f3d3342602f8bcbf37d7c46641cb9bca7618eb1c) Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Willy Tarreau <w@1wt.eu> 
CVE-2013-7266

BugLink: http://bugs.launchpad.net/bugs/1267081

This patch now always passes msg->msg_namelen as 0. recvmsg handlers must
set msg_namelen to the proper size <= sizeof(struct sockaddr_storage)
to return msg_name to the user.

This prevents numerous uninitialized memory leaks we had in the
recvmsg handlers and makes it harder for new code to accidentally leak
uninitialized memory.

Optimize for the case recvfrom is called with NULL as address. We don't
need to copy the address at all, so set it to NULL before invoking the
recvmsg handler. We can do so, because all the recvmsg handlers must
cope with the case a plain read() is called on them. read() also sets
msg_name to NULL.

Also document these changes in include/linux/net.h as suggested by David
Miller.

Changes since RFC:

Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
affect sendto as it would bail out earlier while trying to copy-in the
address. It also more naturally reflects the logic by the callers of
verify_iovec.

With this change in place I could remove "
if (!uaddr || msg_sys->msg_namelen == 0)
	msg->msg_name = NULL
".

This change does not alter the user visible error logic as we ignore
msg_namelen as long as msg_name is NULL.

Also remove two unnecessary curly brackets in ___sys_recvmsg and change
comments to netdev style.

Cc: David Miller <davem@davemloft.net>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit f3d3342602f8bcbf37d7c46641cb9bca7618eb1c)
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
packet: packet_getname_spkt: make sure string is always 0-terminated 2014-05-19T05:53:43+00:00 Daniel Borkmann dborkman@redhat.com 2013-06-12T14:02:27+00:00 6597b256646d4ff022bedd364b59fa3de0c05acc [ Upstream commit 2dc85bf323515e59e15dfa858d1472bb25cad0fe ] uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu> 
[ Upstream commit 2dc85bf323515e59e15dfa858d1472bb25cad0fe ]

uaddr->sa_data is exactly of size 14, which is hard-coded here and
passed as a size argument to strncpy(). A device name can be of size
IFNAMSIZ (== 16), meaning we might leave the destination string
unterminated. Thus, use strlcpy() and also sizeof() while we're
at it. We need to memset the data area beforehand, since strlcpy
does not padd the remaining buffer with zeroes for user space, so
that we do not possibly leak anything.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
af_packet: remove BUG statement in tpacket_destruct_skb 2013-06-10T09:43:26+00:00 danborkmann@iogearbox.net danborkmann@iogearbox.net 2012-08-10T22:48:54+00:00 6f96a94d976a4fd37ee1617da8a3767be5494932 [ Upstream commit 7f5c3e3a80e6654cf48dfba7cf94f88c6b505467 ] Here's a quote of the comment about the BUG macro from asm-generic/bug.h: Don't use BUG() or BUG_ON() unless there's really no way out; one example might be detecting data structure corruption in the middle of an operation that can't be backed out of. If the (sub)system can somehow continue operating, perhaps with reduced functionality, it's probably not BUG-worthy. If you're tempted to BUG(), think again: is completely giving up really the *only* solution? There are usually better options, where users don't need to reboot ASAP and can mostly shut down cleanly. In our case, the status flag of a ring buffer slot is managed from both sides, the kernel space and the user space. This means that even though the kernel side might work as expected, the user space screws up and changes this flag right between the send(2) is triggered when the flag is changed to TP_STATUS_SENDING and a given skb is destructed after some time. Then, this will hit the BUG macro. As David suggested, the best solution is to simply remove this statement since it cannot be used for kernel side internal consistency checks. I've tested it and the system still behaves /stable/ in this case, so in accordance with the above comment, we should rather remove it. Signed-off-by: Daniel Borkmann <daniel.borkmann@tik.ee.ethz.ch> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu> 
[ Upstream commit 7f5c3e3a80e6654cf48dfba7cf94f88c6b505467 ]

Here's a quote of the comment about the BUG macro from asm-generic/bug.h:

 Don't use BUG() or BUG_ON() unless there's really no way out; one
 example might be detecting data structure corruption in the middle
 of an operation that can't be backed out of.  If the (sub)system
 can somehow continue operating, perhaps with reduced functionality,
 it's probably not BUG-worthy.

 If you're tempted to BUG(), think again:  is completely giving up
 really the *only* solution?  There are usually better options, where
 users don't need to reboot ASAP and can mostly shut down cleanly.

In our case, the status flag of a ring buffer slot is managed from both sides,
the kernel space and the user space. This means that even though the kernel
side might work as expected, the user space screws up and changes this flag
right between the send(2) is triggered when the flag is changed to
TP_STATUS_SENDING and a given skb is destructed after some time. Then, this
will hit the BUG macro. As David suggested, the best solution is to simply
remove this statement since it cannot be used for kernel side internal
consistency checks. I've tested it and the system still behaves /stable/ in
this case, so in accordance with the above comment, we should rather remove it.

Signed-off-by: Daniel Borkmann <daniel.borkmann@tik.ee.ethz.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
af_packet: prevent information leak 2011-07-13T03:29:27+00:00 Eric Dumazet eric.dumazet@gmail.com 2011-06-07T05:42:06+00:00 cc2c6564492b2a5f570d08d127c1496cc185a5f5 [ Upstream commit 13fcb7bd322164c67926ffe272846d4860196dc6 ] In 2.6.27, commit 393e52e33c6c2 (packet: deliver VLAN TCI to userspace) added a small information leak. Add padding field and make sure its zeroed before copy to user. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
[ Upstream commit 13fcb7bd322164c67926ffe272846d4860196dc6 ]

In 2.6.27, commit 393e52e33c6c2 (packet: deliver VLAN TCI to userspace)
added a small information leak.

Add padding field and make sure its zeroed before copy to user.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
net: packet: fix information leak to userland 2011-04-14T23:53:46+00:00 Vasiliy Kulikov segooon@gmail.com 2010-11-10T20:09:10+00:00 975c07cc89c47f28bb83f2c7cc32a273c75add8a commit 67286640f638f5ad41a946b9a3dc75327950248f upstream. packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Moritz Muehlenhoff <jmm@debian.org> [jmm: Backported to 2.6.32] Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
commit 67286640f638f5ad41a946b9a3dc75327950248f upstream.

packet_getname_spkt() doesn't initialize all members of sa_data field of
sockaddr struct if strlen(dev->name) < 13.  This structure is then copied
to userland.  It leads to leaking of contents of kernel stack memory.
We have to fully fill sa_data with strncpy() instead of strlcpy().

The same with packet_getname(): it doesn't initialize sll_pkttype field of
sockaddr_ll.  Set it to zero.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Moritz Muehlenhoff <jmm@debian.org>
[jmm: Backported to 2.6.32]
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
af_packet: Don't use skb after dev_queue_xmit() 2010-02-09T12:50:56+00:00 Jarek Poplawski jarkao2@gmail.com 2010-01-10T22:04:19+00:00 3125258f78ae4930916d8c569a10dfd621db77ba [ Upstream commit eb70df13ee52dbc0f2c0ffd8ed34a8cd27440baf ] tpacket_snd() can change and kfree an skb after dev_queue_xmit(), which is illegal. With debugging by: Stephen Hemminger <shemminger@vyatta.com> Reported-by: Michael Breuer <mbreuer@majjas.com> With help from: David S. Miller <davem@davemloft.net> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Tested-by: Michael Breuer<mbreuer@majjas.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 
[ Upstream commit eb70df13ee52dbc0f2c0ffd8ed34a8cd27440baf ]

tpacket_snd() can change and kfree an skb after dev_queue_xmit(),
which is illegal.

With debugging by: Stephen Hemminger <shemminger@vyatta.com>

Reported-by: Michael Breuer <mbreuer@majjas.com>
With help from: David S. Miller <davem@davemloft.net>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Tested-by: Michael Breuer<mbreuer@majjas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-10-29T16:22:08+00:00 Linus Torvalds torvalds@linux-foundation.org 2009-10-29T16:22:08+00:00 49b2de8e6febfea5a8791b6476195903af83a35d * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (43 commits) net: Fix 'Re: PACKET_TX_RING: packet size is too long' netdev: usb: dm9601.c can drive a device not supported yet, add support for it qlge: Fix firmware mailbox command timeout. qlge: Fix EEH handling. AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2) bonding: fix a race condition in calls to slave MII ioctls virtio-net: fix data corruption with OOM sfc: Set ip_summed correctly for page buffers passed to GRO cnic: Fix L2CTX_STATUSB_NUM offset in context memory. MAINTAINERS: rt2x00 list is moderated airo: Reorder tests, check bounds before element mac80211: fix for incorrect sequence number on hostapd injected frames libertas spi: fix sparse errors mac80211: trivial: fix spelling in mesh_hwmp cfg80211: sme: deauthenticate on assoc failure mac80211: keep auth state when assoc fails mac80211: fix ibss joining b43: add 'struct b43_wl' missing declaration b43: Fix Bugzilla #14181 and the bug from the previous 'fix' rt2x00: Fix crypto in TX frame for rt2800usb ... 
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (43 commits)
  net: Fix 'Re: PACKET_TX_RING: packet size is too long'
  netdev: usb: dm9601.c can drive a device not supported yet, add support for it
  qlge: Fix firmware mailbox command timeout.
  qlge: Fix EEH handling.
  AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2)
  bonding: fix a race condition in calls to slave MII ioctls
  virtio-net: fix data corruption with OOM
  sfc: Set ip_summed correctly for page buffers passed to GRO
  cnic: Fix L2CTX_STATUSB_NUM offset in context memory.
  MAINTAINERS: rt2x00 list is moderated
  airo: Reorder tests, check bounds before element
  mac80211: fix for incorrect sequence number on hostapd injected frames
  libertas spi: fix sparse errors
  mac80211: trivial: fix spelling in mesh_hwmp
  cfg80211: sme: deauthenticate on assoc failure
  mac80211: keep auth state when assoc fails
  mac80211: fix ibss joining
  b43: add 'struct b43_wl' missing declaration
  b43: Fix Bugzilla #14181 and the bug from the previous 'fix'
  rt2x00: Fix crypto in TX frame for rt2800usb
  ...
net: Fix 'Re: PACKET_TX_RING: packet size is too long' 2009-10-29T10:19:11+00:00 Gabor Gombas gombasg@sztaki.hu 2009-10-29T10:19:11+00:00 b5dd884e682cae6b8c037f9d11f3b623b4cf2011 Currently PACKET_TX_RING forces certain amount of every frame to remain unused. This probably originates from an early version of the PACKET_TX_RING patch that in fact used the extra space when the (since removed) CONFIG_PACKET_MMAP_ZERO_COPY option was enabled. The current code does not make any use of this extra space. This patch removes the extra space reservation and lets userspace make use of the full frame size. Signed-off-by: Gabor Gombas <gombasg@sztaki.hu> Signed-off-by: David S. Miller <davem@davemloft.net> 
Currently PACKET_TX_RING forces certain amount of every frame to remain
unused. This probably originates from an early version of the
PACKET_TX_RING patch that in fact used the extra space when the (since
removed) CONFIG_PACKET_MMAP_ZERO_COPY option was enabled. The current
code does not make any use of this extra space.

This patch removes the extra space reservation and lets userspace make
use of the full frame size.

Signed-off-by: Gabor Gombas <gombasg@sztaki.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-10-01T00:36:45+00:00 Linus Torvalds torvalds@linux-foundation.org 2009-10-01T00:36:45+00:00 817b33d38f81c8736d39283c35c886ae4668f1af * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: ax25: Fix possible oops in ax25_make_new net: restore tx timestamping for accelerated vlans Phonet: fix mutex imbalance sit: fix off-by-one in ipip6_tunnel_get_prl net: Fix sock_wfree() race net: Make setsockopt() optlen be unsigned. 
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
  ax25: Fix possible oops in ax25_make_new
  net: restore tx timestamping for accelerated vlans
  Phonet: fix mutex imbalance
  sit: fix off-by-one in ipip6_tunnel_get_prl
  net: Fix sock_wfree() race
  net: Make setsockopt() optlen be unsigned.
net: Make setsockopt() optlen be unsigned. 2009-09-30T23:12:20+00:00 David S. Miller davem@davemloft.net 2009-09-30T23:12:20+00:00 b7058842c940ad2c08dd829b21e5c92ebe3b8758 This provides safety against negative optlen at the type level instead of depending upon (sometimes non-trivial) checks against this sprinkled all over the the place, in each and every implementation. Based upon work done by Arjan van de Ven and feedback from Linus Torvalds. Signed-off-by: David S. Miller <davem@davemloft.net> 
This provides safety against negative optlen at the type
level instead of depending upon (sometimes non-trivial)
checks against this sprinkled all over the the place, in
each and every implementation.

Based upon work done by Arjan van de Ven and feedback
from Linus Torvalds.

Signed-off-by: David S. Miller <davem@davemloft.net>