From: Nelson Elhage <nelhage@ksplice•com>
To: Dan Carpenter <error27@gmail•com>
Cc: Eric Dumazet <eric.dumazet@gmail•com>,
"David S. Miller" <davem@davemloft•net>,
Robert Olsson <robert.olsson@its•uu.se>,
Andy Shevchenko <andy.shevchenko@gmail•com>,
netdev@vger•kernel.org
Subject: Re: [patch v2] fix stack overflow in pktgen_if_write()
Date: Wed, 27 Oct 2010 19:06:57 -0400 [thread overview]
Message-ID: <20101027230657.GT16803@ksplice.com> (raw)
In-Reply-To: <20101027224302.GQ6062@bicker>
You want to add a trailing NUL, or else printk will read off the end of the
buffer.
Also, by memdup()ing count + 1 bytes, you're technically reading one more byte
than userspace asked for, which could in principle lead to a spurious EFAULT.
- Nelson
On Thu, Oct 28, 2010 at 12:43:02AM +0200, Dan Carpenter wrote:
> Nelson Elhage says he was able to oops both amd64 and i386 test
> machines with 8k writes to the pktgen file. Let's just allocate the
> buffer on the heap instead of on the stack.
>
> This can only be triggered by root so there are no security issues here.
>
> Reported-by: Nelson Elhage <nelhage@ksplice•com>
> Signed-off-by: Dan Carpenter <error27@gmail•com>
> ---
> I saw this on twitter. Hi Nelson, could you test this?
>
> V2: strndup_user() => memdup_user()
>
> diff --git a/net/core/pktgen.c b/net/core/pktgen.c
> index 2c0df0f..b5d3c70 100644
> --- a/net/core/pktgen.c
> +++ b/net/core/pktgen.c
> @@ -887,12 +887,14 @@ static ssize_t pktgen_if_write(struct file *file,
> i += len;
>
> if (debug) {
> - char tb[count + 1];
> - if (copy_from_user(tb, user_buffer, count))
> - return -EFAULT;
> - tb[count] = 0;
> + char *tb;
> +
> + tb = memdup_user(user_buffer, count + 1);
> + if (IS_ERR(tb))
> + return PTR_ERR(tb);
> printk(KERN_DEBUG "pktgen: %s,%lu buffer -:%s:-\n", name,
> (unsigned long)count, tb);
> + kfree(tb);
> }
>
> if (!strcmp(name, "min_pkt_size")) {
>
next prev parent reply other threads:[~2010-10-27 23:07 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-27 19:13 [PATCH] pktgen: Remove a dangerous debug print Nelson Elhage
2010-10-27 19:21 ` David Miller
2010-10-27 19:28 ` Nelson Elhage
2010-10-27 19:30 ` David Miller
2010-10-27 19:41 ` Eric Dumazet
2010-10-27 19:49 ` Nelson Elhage
2010-10-27 20:38 ` Ben Greear
2010-10-27 22:12 ` [patch] fix stack overflow in pktgen_if_write() Dan Carpenter
2010-10-27 22:40 ` Dan Carpenter
2010-10-27 22:43 ` [patch v2] " Dan Carpenter
2010-10-27 23:06 ` Nelson Elhage [this message]
2010-10-28 6:05 ` Dan Carpenter
2010-10-28 6:05 ` [patch v3] " Dan Carpenter
2010-10-28 15:22 ` Nelson Elhage
2010-10-28 16:28 ` Dan Carpenter
2010-10-28 16:30 ` Nelson Elhage
2010-10-28 23:11 ` Andi Kleen
2010-11-01 3:47 ` Dan Carpenter
2010-10-28 15:20 ` [PATCH] pktgen: Limit how much data we copy onto the stack Nelson Elhage
2010-10-28 18:32 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101027230657.GT16803@ksplice.com \
--to=nelhage@ksplice$(echo .)com \
--cc=andy.shevchenko@gmail$(echo .)com \
--cc=davem@davemloft$(echo .)net \
--cc=eric.dumazet@gmail$(echo .)com \
--cc=error27@gmail$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=robert.olsson@its$(echo .)uu.se \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox