Bug in net/ipv6/ip6_fib.c:fib6_dump_table()

From: Debabrata Banerjee
Date: Tue Jun 12 2012 - 13:22:25 EST

Next message: Borislav Petkov: "Re: [PATCH] perf/x86: check ucode before disabling PEBS onSandyBridge"
Previous message: James Bottomley: "Re: [PATCH] scsi: allow persistent reservations withoutCAP_SYS_RAWIO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looks like commit 2bec5a369ee79576a3eea2c23863325089785a2c "ipv6: fib:
fix crash when changing large fib while dumping" is the culprit. The
result of this code is that if there is a tree addition while a dump
has suspended because the netlink skb is full, it will simply go back
to the top of the tree and you end up with duplicate/triplicate/etc
routes. It looks like the code attempts to count nodes, but it's a
linear count and the data structure is a tree so that's a big problem.
The net result is potentially DOSable, since if route table updates
happen often enough in proportion to table size, a dump will attempt
to return an infinite amount of routes (observed). So this commit
should be reverted. However I am interested in the problem that commit
tried to solve, if anyone has more information on that. My assumption
is the fib tree gets corrupted and eventually it crashes in
fib6_dump_table(), which I assume can still happen.

I can easily demonstrate the bug by adding cloned/cache routes while I
check the results of fib6_dump_table:

root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:~# ip -6 -o route
show table cache |tee tmp | wc -l; sort tmp | uniq -u | wc -l
593
189
root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:~# ip -6 -o route
show table cache |tee tmp | wc -l; sort tmp | uniq -u | wc -l
884
16
root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:~# ip -6 -o route
show table cache |tee tmp | wc -l; sort tmp | uniq -u | wc -l
888
78
root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:~# ip -6 -o route
show table cache |tee tmp | wc -l; sort tmp | uniq -u | wc -l
507
507
root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:~# ip -6 -o route
show table cache |tee tmp | wc -l; sort tmp | uniq -u | wc -l
533
533
root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:~# ip -6 -o route
show table cache |tee tmp | wc -l; sort tmp | uniq -u | wc -l
571
571

Thanks,
Debabrata
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Borislav Petkov: "Re: [PATCH] perf/x86: check ucode before disabling PEBS onSandyBridge"
Previous message: James Bottomley: "Re: [PATCH] scsi: allow persistent reservations withoutCAP_SYS_RAWIO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]