From: Nelson Elhage <nelhage@ksplice•com>
To: Dan Carpenter <error27@gmail•com>
Cc: Eric Dumazet <eric.dumazet@gmail•com>,
"David S. Miller" <davem@davemloft•net>,
Robert Olsson <robert.olsson@its•uu.se>,
Andy Shevchenko <andy.shevchenko@gmail•com>,
netdev@vger•kernel.org
Subject: Re: [patch v3] fix stack overflow in pktgen_if_write()
Date: Thu, 28 Oct 2010 11:22:22 -0400 [thread overview]
Message-ID: <20101028152222.GU16803@ksplice.com> (raw)
In-Reply-To: <20101028060529.GX6062@bicker>
You've got a leak if copy_user fails.
While testing this, I realized that printk() won't print more than 1k in a
single call, anyways, so I've sent along a patch that just copies up to 1k onto
the stack, which should prevent the overflow without changing behavior or
needing a heap allocation.
- Nelson
On Thu, Oct 28, 2010 at 08:05:29AM +0200, Dan Carpenter wrote:
> Nelson Elhage says he was able to oops both amd64 and i386 test
> machines with 8k writes to the pktgen file. Let's just allocate the
> buffer on the heap instead of on the stack.
>
> This can only be triggered by root so there are no security issues here.
>
> Reported-by: Nelson Elhage <nelhage@ksplice•com>
> Signed-off-by: Dan Carpenter <error27@gmail•com>
> ---
> v3: just use kmalloc()
>
> diff --git a/net/core/pktgen.c b/net/core/pktgen.c
> index 2c0df0f..c8d3620 100644
> --- a/net/core/pktgen.c
> +++ b/net/core/pktgen.c
> @@ -887,12 +887,17 @@ static ssize_t pktgen_if_write(struct file *file,
> i += len;
>
> if (debug) {
> - char tb[count + 1];
> + char *tb;
> +
> + tb = kmalloc(count + 1, GFP_KERNEL);
> + if (!tb)
> + return -ENOMEM;
> if (copy_from_user(tb, user_buffer, count))
> return -EFAULT;
> tb[count] = 0;
> printk(KERN_DEBUG "pktgen: %s,%lu buffer -:%s:-\n", name,
> (unsigned long)count, tb);
> + kfree(tb);
> }
>
> if (!strcmp(name, "min_pkt_size")) {
next prev parent reply other threads:[~2010-10-28 15:22 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-27 19:13 [PATCH] pktgen: Remove a dangerous debug print Nelson Elhage
2010-10-27 19:21 ` David Miller
2010-10-27 19:28 ` Nelson Elhage
2010-10-27 19:30 ` David Miller
2010-10-27 19:41 ` Eric Dumazet
2010-10-27 19:49 ` Nelson Elhage
2010-10-27 20:38 ` Ben Greear
2010-10-27 22:12 ` [patch] fix stack overflow in pktgen_if_write() Dan Carpenter
2010-10-27 22:40 ` Dan Carpenter
2010-10-27 22:43 ` [patch v2] " Dan Carpenter
2010-10-27 23:06 ` Nelson Elhage
2010-10-28 6:05 ` Dan Carpenter
2010-10-28 6:05 ` [patch v3] " Dan Carpenter
2010-10-28 15:22 ` Nelson Elhage [this message]
2010-10-28 16:28 ` Dan Carpenter
2010-10-28 16:30 ` Nelson Elhage
2010-10-28 23:11 ` Andi Kleen
2010-11-01 3:47 ` Dan Carpenter
2010-10-28 15:20 ` [PATCH] pktgen: Limit how much data we copy onto the stack Nelson Elhage
2010-10-28 18:32 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101028152222.GU16803@ksplice.com \
--to=nelhage@ksplice$(echo .)com \
--cc=andy.shevchenko@gmail$(echo .)com \
--cc=davem@davemloft$(echo .)net \
--cc=eric.dumazet@gmail$(echo .)com \
--cc=error27@gmail$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=robert.olsson@its$(echo .)uu.se \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox