linux-hardened/net
Neil Horman d0021b252e tipc: Fix oops on send prior to entering networked mode (v3)
Fix TIPC to disallow sending to remote addresses prior to entering NET_MODE

user programs can oops the kernel by sending datagrams via AF_TIPC prior to
entering networked mode.  The following backtrace has been observed:

ID: 13459  TASK: ffff810014640040  CPU: 0   COMMAND: "tipc-client"
[exception RIP: tipc_node_select_next_hop+90]
RIP: ffffffff8869d3c3  RSP: ffff81002d9a5ab8  RFLAGS: 00010202
RAX: 0000000000000001  RBX: 0000000000000001  RCX: 0000000000000001
RDX: 0000000000000000  RSI: 0000000000000001  RDI: 0000000001001001
RBP: 0000000001001001   R8: 0074736575716552   R9: 0000000000000000
R10: ffff81003fbd0680  R11: 00000000000000c8  R12: 0000000000000008
R13: 0000000000000001  R14: 0000000000000001  R15: ffff810015c6ca00
ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
RIP: 0000003cbd8d49a3  RSP: 00007fffc84e0be8  RFLAGS: 00010206
RAX: 000000000000002c  RBX: ffffffff8005d116  RCX: 0000000000000000
RDX: 0000000000000008  RSI: 00007fffc84e0c00  RDI: 0000000000000003
RBP: 0000000000000000   R8: 00007fffc84e0c10   R9: 0000000000000010
R10: 0000000000000000  R11: 0000000000000246  R12: 0000000000000000
R13: 00007fffc84e0d10  R14: 0000000000000000  R15: 00007fffc84e0c30
ORIG_RAX: 000000000000002c  CS: 0033  SS: 002b

What happens is that, when the tipc module in inserted it enters a standalone
node mode in which communication to its own address is allowed <0.0.0> but not
to other addresses, since the appropriate data structures have not been
allocated yet (specifically the tipc_net pointer).  There is nothing stopping a
client from trying to send such a message however, and if that happens, we
attempt to dereference tipc_net.zones while the pointer is still NULL, and
explode.  The fix is pretty straightforward.  Since these oopses all arise from
the dereference of global pointers prior to their assignment to allocated
values, and since these allocations are small (about 2k total), lets convert
these pointers to static arrays of the appropriate size.  All the accesses to
these bits consider 0/NULL to be a non match when searching, so all the lookups
still work properly, and there is no longer a chance of a bad dererence
anywhere.  As a bonus, this lets us eliminate the setup/teardown routines for
those pointers, and elimnates the need to preform any locking around them to
prevent access while their being allocated/freed.

I've updated the tipc_net structure to behave this way to fix the exact reported
problem, and also fixed up the tipc_bearers and media_list arrays to fix an
obvious simmilar problem that arises from issuing tipc-config commands to
manipulate bearers/links prior to entering networked mode

I've tested this for a few hours by running the sanity tests and stress test
with the tipcutils suite, and nothing has fallen over.  There have been a few
lockdep warnings, but those were there before, and can be addressed later, as
they didn't actually result in any deadlock.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Allan Stephens <allan.stephens@windriver.com>
CC: David S. Miller <davem@davemloft.net>
CC: tipc-discussion@lists.sourceforge.net

 bearer.c |   37 ++++++-------------------------------
 bearer.h |    2 +-
 net.c    |   25 ++++---------------------
 3 files changed, 11 insertions(+), 53 deletions(-)
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-03-04 00:53:52 -08:00
..
9p 9p: fix p9_client_destroy unconditional calling v9fs_put_trans 2010-02-08 18:18:34 -06:00
802 sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00
8021q percpu: add __percpu sparse annotations to net 2010-02-16 23:05:38 -08:00
appletalk net: appletalk: use seq_hlist_foo() helpers 2010-02-10 11:12:09 -08:00
atm net: atm: use seq_list_foo() helpers 2010-02-10 12:31:10 -08:00
ax25 net: ax25: use seq_hlist_foo() helpers 2010-02-10 11:12:09 -08:00
bluetooth Bluetooth: Use single_open() for inquiry cache within debugfs 2010-03-03 01:04:38 -08:00
bridge bridge: depends on INET 2010-03-03 01:23:22 -08:00
can can: deny filterlist access on non-CAN interfaces 2010-02-02 07:21:34 -08:00
core Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2010-02-28 19:23:06 -08:00
dcb const: struct nla_policy 2010-02-18 14:30:18 -08:00
dccp percpu: add __percpu sparse annotations to net 2010-02-16 23:05:38 -08:00
decnet net: Add checking to rcu_dereference() primitives 2010-02-25 09:41:03 +01:00
dsa netdev: convert pseudo-devices to netdev_tx_t 2009-09-01 01:13:07 -07:00
econet net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
ethernet llc: use dev_hard_header 2009-12-26 20:38:23 -08:00
ieee802154 net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
ipv4 gre: fix hard header destination address checking 2010-03-04 00:53:52 -08:00
ipv6 IPv6: fix race between cleanup and add/delete address 2010-03-04 00:39:34 -08:00
ipx net: ipx: use seq_list_foo() helpers 2010-02-10 12:31:10 -08:00
irda const: struct nla_policy 2010-02-18 14:30:18 -08:00
iucv const: constify remaining dev_pm_ops 2009-12-15 08:53:25 -08:00
key xfrm: SP lookups signature with mark 2010-02-22 16:21:12 -08:00
lapb net: remove NET_RX_BAD and NET_RX_CN* defines 2009-07-05 19:15:35 -07:00
llc llc: fix SAP reference counting w.r.t. socket handling 2009-12-26 20:47:23 -08:00
mac80211 mac80211: Fix HT rate control configuration 2010-03-03 15:39:21 -05:00
netfilter Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2010-02-26 09:31:09 -08:00
netlabel net: remove INIT_RCU_HEAD() usage 2010-02-17 00:03:27 -08:00
netlink netlink: Adding inode field to /proc/net/netlink 2010-02-28 01:29:49 -08:00
netrom net: netrom: use seq_hlist_foo() helpers 2010-02-10 11:12:08 -08:00
packet af_packet: move strict addr_len check right before dev_[mc/unicast]_[add/del] 2010-03-03 01:04:38 -08:00
phonet net: spread __net_init, __net_exit 2010-01-17 19:16:02 -08:00
rds net/rds: remove uses of NIPQUAD, use %pI4 2010-02-03 20:16:48 -08:00
rfkill rfkill: Add support for KEY_RFKILL 2010-03-02 14:28:49 -05:00
rose net: rose: use seq_hlist_foo() helpers 2010-02-10 11:12:08 -08:00
rxrpc net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
sched Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-02-09 11:44:44 -08:00
sctp net: remove INIT_RCU_HEAD() usage 2010-02-17 00:03:27 -08:00
sunrpc net: Fix first line of kernel-doc for a few functions 2010-02-14 22:35:47 -08:00
tipc tipc: Fix oops on send prior to entering networked mode (v3) 2010-03-04 00:53:52 -08:00
unix AF_UNIX: update locking comment 2010-02-18 14:12:06 -08:00
wanrouter headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
wimax const: struct nla_policy 2010-02-18 14:30:18 -08:00
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 2010-02-25 23:26:21 -08:00
x25 X25: Dont let x25_bind use addresses containing characters 2010-02-15 21:49:52 -08:00
xfrm ipsec: Fix bogus bundle flowi 2010-03-03 01:04:37 -08:00
compat.c net: use compat helper functions in compat_sys_recvmmsg 2009-12-11 15:07:57 -08:00
Kconfig net/compat/wext: send different messages to compat tasks 2009-07-15 08:53:39 -07:00
Makefile net: remove redundant sched/ in net/Makefile 2009-07-12 20:11:14 -07:00
nonet.c
socket.c fs: no games with DCACHE_UNHASHED 2009-12-17 10:51:40 -05:00
sysctl_net.c net: spread __net_init, __net_exit 2010-01-17 19:16:02 -08:00
TUNABLE