On Mon, Oct 14, 2013 at 03:21:38PM +0200, Alexander Bluhm wrote:
> Hi,
>
> By passing invalid rtm_flags and rtm_addrs values in the routing
> message, I can crash the kernel from user land.
>
> login: uvm_fault(0xfffffe800554b388, 0x4, 0, 1) -> e
> fatal page fault in supervisor mode
> trap type 6 code 0 rip ffffffff812312d7 cs 8 rflags 246 cr2 4 cpl 5 rsp
> ffff8000039de8a0
> panic: trap type 6, code=0, pc=ffffffff812312d7
> Starting stack trace...
> panic() at panic+0xfb
> trap() at trap+0x710
> --- trap (number 6) ---
> arp_rtrequest() at arp_rtrequest+0xc7
> rtrequest1() at rtrequest1+0x56d
> route_output() at route_output+0x815
> raw_usrreq() at raw_usrreq+0x227
> route_usrreq() at route_usrreq+0x6e
> sosend() at sosend+0x466
> dofilewritev() at dofilewritev+0x18b
> sys_write() at sys_write+0x8f
> syscall() at syscall+0x162
> --- syscall (number 4) ---
> end of kernel
> end trace frame: 0x8439e0, count: 246
> acpi_pdirpa+0x400a0a:
> End of stack trace.
>
> This diff prevents the crash.
>
> ok?
Ugh, that is horrible code that works around broken userland daemons.
Diff is OK but I would like to remove this check in the long run. What do
you think?
--
:wq Claudio
> bluhm
>
> Index: netinet/if_ether.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/if_ether.c,v
> retrieving revision 1.107
> diff -u -p -u -p -r1.107 if_ether.c
> --- netinet/if_ether.c 3 Sep 2013 10:25:32 -0000 1.107
> +++ netinet/if_ether.c 14 Oct 2013 13:09:40 -0000
> @@ -191,7 +191,7 @@ arp_rtrequest(int req, struct rtentry *r
> * such as older version of routed or gated might provide,
> * restore cloning bit.
> */
> - if ((rt->rt_flags & RTF_HOST) == 0 &&
> + if ((rt->rt_flags & RTF_HOST) == 0 && rt_mask(rt) &&
> satosin(rt_mask(rt))->sin_addr.s_addr != 0xffffffff)
> rt->rt_flags |= RTF_CLONING;
> if (rt->rt_flags & RTF_CLONING) {
>
