* [kernel-hardening] Usercopy caught another one - ping IPv6...
@ 2016-06-27 3:29 Valdis Kletnieks
2016-06-28 13:15 ` Marcus Meissner
0 siblings, 1 reply; 3+ messages in thread
From: Valdis Kletnieks @ 2016-06-27 3:29 UTC (permalink / raw)
To: kernel-hardening
[-- Attachment #1: Type: text/plain, Size: 1307 bytes --]
usercopy kills attempts to use ping....
(Kernel tainted by a probably unrelated MMC issue)
[135768.173443] usercopy: kernel memory overwrite attempt detected to ffff8800be26fd90 (RAWv6) (32 bytes)
[135768.173451] CPU: 3 PID: 56577 Comm: ping Tainted: G D OE 4.7.0-rc3-next-20160614-dirty #302
[135768.173453] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A17 08/19/2015
[135768.173455] 0000000000000000 000000004951b1ca ffff880223687e10 ffffffffb169f61a
[135768.173459] ffff8800be26fd90 000000004951b1ca 0000000000000020 0000000000000000
[135768.173463] ffff880223687e60 ffffffffb1367b30 0000000000000001 ffffea0002998868
[135768.173467] Call Trace:
[135768.173473] [<ffffffffb169f61a>] dump_stack+0x7b/0xd1
[135768.173476] [<ffffffffb1367b30>] __check_object_size+0x70/0x3d4
[135768.173479] [<ffffffffb1ded6bb>] compat_rawv6_setsockopt.part.11+0x4b/0x80
[135768.173482] [<ffffffffb1ded824>] rawv6_setsockopt+0x84/0xb0
[135768.173485] [<ffffffffb15c66c5>] ? selinux_socket_setsockopt+0x45/0x60
[135768.173488] [<ffffffffb1bd1d0a>] sock_common_setsockopt+0x3a/0xc0
[135768.173490] [<ffffffffb1bcfb99>] SyS_setsockopt+0x89/0x120
[135768.173493] [<ffffffffb20896e5>] entry_SYSCALL_64_fastpath+0x18/0xa8
[135768.173497] [<ffffffffb1143e3f>] ? trace_hardirqs_off_caller+0x1f/0xf0
[-- Attachment #2: Type: application/pgp-signature, Size: 848 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [kernel-hardening] Usercopy caught another one - ping IPv6...
2016-06-27 3:29 [kernel-hardening] Usercopy caught another one - ping IPv6 Valdis Kletnieks
@ 2016-06-28 13:15 ` Marcus Meissner
2016-06-28 16:31 ` Valdis.Kletnieks
0 siblings, 1 reply; 3+ messages in thread
From: Marcus Meissner @ 2016-06-28 13:15 UTC (permalink / raw)
To: kernel-hardening
Hi,
This is probably the ICMPV6_FILTER setting?
if (optlen > sizeof(struct icmp6_filter))
optlen = sizeof(struct icmp6_filter);
if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
return -EFAULT;
struct raw6_sock has
struct icmp6_filter filter;
not sure where the bug is.
Ciao, Marcus
On Sun, Jun 26, 2016 at 11:29:57PM -0400, Valdis Kletnieks wrote:
> usercopy kills attempts to use ping....
>
> (Kernel tainted by a probably unrelated MMC issue)
>
> [135768.173443] usercopy: kernel memory overwrite attempt detected to ffff8800be26fd90 (RAWv6) (32 bytes)
> [135768.173451] CPU: 3 PID: 56577 Comm: ping Tainted: G D OE 4.7.0-rc3-next-20160614-dirty #302
> [135768.173453] Hardware name: Dell Inc. Latitude E6530/07Y85M, BIOS A17 08/19/2015
> [135768.173455] 0000000000000000 000000004951b1ca ffff880223687e10 ffffffffb169f61a
> [135768.173459] ffff8800be26fd90 000000004951b1ca 0000000000000020 0000000000000000
> [135768.173463] ffff880223687e60 ffffffffb1367b30 0000000000000001 ffffea0002998868
> [135768.173467] Call Trace:
> [135768.173473] [<ffffffffb169f61a>] dump_stack+0x7b/0xd1
> [135768.173476] [<ffffffffb1367b30>] __check_object_size+0x70/0x3d4
> [135768.173479] [<ffffffffb1ded6bb>] compat_rawv6_setsockopt.part.11+0x4b/0x80
> [135768.173482] [<ffffffffb1ded824>] rawv6_setsockopt+0x84/0xb0
> [135768.173485] [<ffffffffb15c66c5>] ? selinux_socket_setsockopt+0x45/0x60
> [135768.173488] [<ffffffffb1bd1d0a>] sock_common_setsockopt+0x3a/0xc0
> [135768.173490] [<ffffffffb1bcfb99>] SyS_setsockopt+0x89/0x120
> [135768.173493] [<ffffffffb20896e5>] entry_SYSCALL_64_fastpath+0x18/0xa8
> [135768.173497] [<ffffffffb1143e3f>] ? trace_hardirqs_off_caller+0x1f/0xf0
>
--
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@suse.de>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [kernel-hardening] Usercopy caught another one - ping IPv6...
2016-06-28 13:15 ` Marcus Meissner
@ 2016-06-28 16:31 ` Valdis.Kletnieks
0 siblings, 0 replies; 3+ messages in thread
From: Valdis.Kletnieks @ 2016-06-28 16:31 UTC (permalink / raw)
To: kernel-hardening
[-- Attachment #1: Type: text/plain, Size: 660 bytes --]
On Tue, 28 Jun 2016 15:15:25 +0200, Marcus Meissner said:
> Hi,
>
> This is probably the ICMPV6_FILTER setting?
>
> if (optlen > sizeof(struct icmp6_filter))
> optlen = sizeof(struct icmp6_filter);
> if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
> return -EFAULT;
>
> struct raw6_sock has
> struct icmp6_filter filter;
>
> not sure where the bug is.
Probably no actual bug, but the allocation of storage for 'filter' needs to be
annotated. Thanks for finding that, that's the *hard* part. I'll look at it
and see if a reasonable patch is doable...
[-- Attachment #2: Type: application/pgp-signature, Size: 848 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-28 16:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-27 3:29 [kernel-hardening] Usercopy caught another one - ping IPv6 Valdis Kletnieks
2016-06-28 13:15 ` Marcus Meissner
2016-06-28 16:31 ` Valdis.Kletnieks
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.