All of lore.kernel.org
 help / color / mirror / Atom feed
* [kernel-hardening] Usercopy caught another one - ping IPv6...
@ 2016-06-27  3:29 Valdis Kletnieks
  2016-06-28 13:15 ` Marcus Meissner
  0 siblings, 1 reply; 3+ messages in thread
From: Valdis Kletnieks @ 2016-06-27  3:29 UTC (permalink / raw)
  To: kernel-hardening

[-- Attachment #1: Type: text/plain, Size: 1307 bytes --]

usercopy kills attempts to use ping....

(Kernel tainted by a probably unrelated MMC issue)

[135768.173443] usercopy: kernel memory overwrite attempt detected to ffff8800be26fd90 (RAWv6) (32 bytes)
[135768.173451] CPU: 3 PID: 56577 Comm: ping Tainted: G      D    OE   4.7.0-rc3-next-20160614-dirty #302
[135768.173453] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A17 08/19/2015
[135768.173455]  0000000000000000 000000004951b1ca ffff880223687e10 ffffffffb169f61a
[135768.173459]  ffff8800be26fd90 000000004951b1ca 0000000000000020 0000000000000000
[135768.173463]  ffff880223687e60 ffffffffb1367b30 0000000000000001 ffffea0002998868
[135768.173467] Call Trace:
[135768.173473]  [<ffffffffb169f61a>] dump_stack+0x7b/0xd1
[135768.173476]  [<ffffffffb1367b30>] __check_object_size+0x70/0x3d4
[135768.173479]  [<ffffffffb1ded6bb>] compat_rawv6_setsockopt.part.11+0x4b/0x80
[135768.173482]  [<ffffffffb1ded824>] rawv6_setsockopt+0x84/0xb0
[135768.173485]  [<ffffffffb15c66c5>] ? selinux_socket_setsockopt+0x45/0x60
[135768.173488]  [<ffffffffb1bd1d0a>] sock_common_setsockopt+0x3a/0xc0
[135768.173490]  [<ffffffffb1bcfb99>] SyS_setsockopt+0x89/0x120
[135768.173493]  [<ffffffffb20896e5>] entry_SYSCALL_64_fastpath+0x18/0xa8
[135768.173497]  [<ffffffffb1143e3f>] ? trace_hardirqs_off_caller+0x1f/0xf0


[-- Attachment #2: Type: application/pgp-signature, Size: 848 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [kernel-hardening] Usercopy caught another one - ping IPv6...
  2016-06-27  3:29 [kernel-hardening] Usercopy caught another one - ping IPv6 Valdis Kletnieks
@ 2016-06-28 13:15 ` Marcus Meissner
  2016-06-28 16:31   ` Valdis.Kletnieks
  0 siblings, 1 reply; 3+ messages in thread
From: Marcus Meissner @ 2016-06-28 13:15 UTC (permalink / raw)
  To: kernel-hardening

Hi,

This is probably the ICMPV6_FILTER setting?

                if (optlen > sizeof(struct icmp6_filter))
		                        optlen = sizeof(struct icmp6_filter);
                if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
		                        return -EFAULT;

struct raw6_sock has
        struct icmp6_filter     filter;

not sure where the bug is.

Ciao, Marcus

On Sun, Jun 26, 2016 at 11:29:57PM -0400, Valdis Kletnieks wrote:
> usercopy kills attempts to use ping....
> 
> (Kernel tainted by a probably unrelated MMC issue)
> 
> [135768.173443] usercopy: kernel memory overwrite attempt detected to ffff8800be26fd90 (RAWv6) (32 bytes)
> [135768.173451] CPU: 3 PID: 56577 Comm: ping Tainted: G      D    OE   4.7.0-rc3-next-20160614-dirty #302
> [135768.173453] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A17 08/19/2015
> [135768.173455]  0000000000000000 000000004951b1ca ffff880223687e10 ffffffffb169f61a
> [135768.173459]  ffff8800be26fd90 000000004951b1ca 0000000000000020 0000000000000000
> [135768.173463]  ffff880223687e60 ffffffffb1367b30 0000000000000001 ffffea0002998868
> [135768.173467] Call Trace:
> [135768.173473]  [<ffffffffb169f61a>] dump_stack+0x7b/0xd1
> [135768.173476]  [<ffffffffb1367b30>] __check_object_size+0x70/0x3d4
> [135768.173479]  [<ffffffffb1ded6bb>] compat_rawv6_setsockopt.part.11+0x4b/0x80
> [135768.173482]  [<ffffffffb1ded824>] rawv6_setsockopt+0x84/0xb0
> [135768.173485]  [<ffffffffb15c66c5>] ? selinux_socket_setsockopt+0x45/0x60
> [135768.173488]  [<ffffffffb1bd1d0a>] sock_common_setsockopt+0x3a/0xc0
> [135768.173490]  [<ffffffffb1bcfb99>] SyS_setsockopt+0x89/0x120
> [135768.173493]  [<ffffffffb20896e5>] entry_SYSCALL_64_fastpath+0x18/0xa8
> [135768.173497]  [<ffffffffb1143e3f>] ? trace_hardirqs_off_caller+0x1f/0xf0
> 



-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@suse.de>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [kernel-hardening] Usercopy caught another one - ping IPv6...
  2016-06-28 13:15 ` Marcus Meissner
@ 2016-06-28 16:31   ` Valdis.Kletnieks
  0 siblings, 0 replies; 3+ messages in thread
From: Valdis.Kletnieks @ 2016-06-28 16:31 UTC (permalink / raw)
  To: kernel-hardening

[-- Attachment #1: Type: text/plain, Size: 660 bytes --]

On Tue, 28 Jun 2016 15:15:25 +0200, Marcus Meissner said:
> Hi,
>
> This is probably the ICMPV6_FILTER setting?
>
>                 if (optlen > sizeof(struct icmp6_filter))
> 		                        optlen = sizeof(struct icmp6_filter);
>                 if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
> 		                        return -EFAULT;
>
> struct raw6_sock has
>         struct icmp6_filter     filter;
>
> not sure where the bug is.

Probably no actual bug, but the allocation of storage for 'filter' needs to be
annotated.  Thanks for finding that, that's the *hard* part.  I'll look at it
and see if a reasonable patch is doable...


[-- Attachment #2: Type: application/pgp-signature, Size: 848 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-28 16:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-27  3:29 [kernel-hardening] Usercopy caught another one - ping IPv6 Valdis Kletnieks
2016-06-28 13:15 ` Marcus Meissner
2016-06-28 16:31   ` Valdis.Kletnieks

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.