4948217 2000-03-28 07:23 /96 rader/ Postmaster
Mottagare: Bugtraq (import) <10380>
Ärende: Re: Local Denial-of-Service attack against Linux
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="W/nzBZO5zC0uMSeA"
Message-ID: <20000327090438.A317@armageddon.libero.it>
Date: Mon, 27 Mar 2000 09:04:39 +0200
Reply-To: sullivan@sikurezza.org
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Gigi Sullivan <sullivan@sikurezza.org>
X-To: Jay Fenlason <fenlason@CLEARWAY.COM>
X-cc: lcamtuf@DIONE.IDS.PL, bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000323175509.A23709@clearway.com>; from Jay Fenlason on Thu
Mar 23, 2000 at 05:55:09PM -0500
--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Aiee :)
Hello!
>
> This amusing little program will hang Linux 2.2.12 (default Red Hat 6.1),
> 2.2.14 (latest stable kernel) and 2.3.99-pre2 (latest development kernel)
> on my 6x86 scratch machine and our various Pentium development machines.
> Note that this does not require any special privileges.
>
> The send system call immediately puts the kernel in a loop spewing
> kmalloc: Size (131076) too large
> forever (or until you hit the reset button).
>
[snip]
I here enclose a very easy little kernel patch that should fix
this problem.
This is a temporary fix, tho.
I'm not sure this is the right way to do it and probably this could
break some actual behaviour (see the comments).
I apologize; Still learning kernel internals.
bye bye
-- gg sullivan
P.S.
Advices, correction, bug fixes :) are really wellcome.
--
Lorenzo Cavallaro `Gigi Sullivan' <sullivan@sikurezza.org>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=ldos_patch
--- sock.c.orig Mon Mar 27 08:43:41 2000
+++ sock.c Mon Mar 27 08:52:16 2000
@@ -79,6 +79,10 @@
* Jay Schulist : Added SO_ATTACH_FILTER and SO_DETACH_FILTER.
* Andi Kleen : Add sock_kmalloc()/sock_kfree_s()
* Andi Kleen : Fix write_space callback
+ * Lorenzo `Gigi Sullivan' Cavallaro: Temporary Fix to local DoS due to
+ * too big buffer (AF_UNIX SOCK_DGRAM).
+ * Maybe this will broke something else.
+ * I apologize.
*
* To Fix:
*
@@ -566,6 +570,18 @@
skb->sk = sk;
return skb;
}
+
+ /*
+ * kmalloc (mm/slab.c) checks the size to allocate through a
+ * `cache size struct'.
+ * If we try to allocate much more then the maximum, just report it
+ * backwardly.
+ * XXX Will this broke something, like sock_wait_for_wmem()
+ * defined in net/core/sock.c ?
+ * Is this the right way ?
+ */
+
+ sk->err = EMSGSIZE;
}
return NULL;
}
--W/nzBZO5zC0uMSeA--
(4948217) ------------------------------------------
4961976 2000-04-01 04:32 /120 rader/ Postmaster
Mottagare: Bugtraq (import) <10422>
Ärende: Re: Local Denial-of-Service attack against Linux
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=GvXjxJ+pjyke8COw
Message-ID: <20000401003726.A322@armageddon.allanon.org>
Date: Sat, 1 Apr 2000 00:37:27 +0200
Reply-To: sullivan@sikurezza.org
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Gigi Sullivan <sullivan@sikurezza.org>
X-To: Jay Fenlason <fenlason@CLEARWAY.COM>
X-cc: bugtraq@securityfocus.com, linux-net@vger.rutgers.edu
ml@sikurezza.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000323175509.A23709@clearway.com>; from Jay Fenlason on Thu
Mar 23, 2000 at 05:55:09PM -0500
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Aiee :)
Hello!
As I said in my previous post, the patch I supplied worked, but it
wasn't the right way to do it.
So, I attach here a `new' patch (very easy one, tho).
This should do the job and should be the `right way' do it ...
however, if someone find something of wrong, please let me (us) know.
Thx a lot
bye bye
-- gg sullivan
> Apparently unix domain sockets are ignoring the /proc/sys/net/core/wmem_max
> parameter, despite the documentation to the contrary. The fix should be
> simple, but I haven't had time to chase it down, and I'm not (usually) a
> Linux kernel developer.
>
> -- JF
>
--
Lorenzo Cavallaro `Gigi Sullivan' <sullivan@sikurezza.org>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=ldos_patch_last
--- sock.c.orig Fri Mar 31 23:36:00 2000
+++ sock.c Fri Mar 31 23:36:29 2000
@@ -79,10 +79,6 @@
* Jay Schulist : Added SO_ATTACH_FILTER and SO_DETACH_FILTER.
* Andi Kleen : Add sock_kmalloc()/sock_kfree_s()
* Andi Kleen : Fix write_space callback
- * Lorenzo `Gigi Sullivan' Cavallaro: Temporary Fix to local DoS due to
- * too big buffer (AF_UNIX SOCK_DGRAM).
- * Maybe this will broke something else.
- * I apologize.
*
* To Fix:
*
@@ -570,18 +566,6 @@
skb->sk = sk;
return skb;
}
-
- /*
- * kmalloc (mm/slab.c) checks the size to allocate through a
- * `cache size struct'.
- * If we try to allocate much more then the maximum, just report it
- * backwardly.
- * XXX Will this broke something, like sock_wait_for_wmem()
- * defined here (net/core/sock.c)?
- * Is this the right way ?
- */
-
- sk->err = EMSGSIZE;
}
return NULL;
}
--- af_unix.c.orig Fri Mar 31 23:36:40 2000
+++ af_unix.c Sat Apr 1 00:31:40 2000
@@ -43,6 +43,8 @@
* number of socks to 2*max_files and
* the number of skb queueable in the
* dgram receiver.
+ * Lorenzo `Gigi Sullivan' Cavallaro : Fixed local DoS attack, due to
+ * unchecked sysctl_wmem_max sysctl (I hope) :)
*
* Known differences from reference BSD that was tested:
*
@@ -972,6 +974,16 @@
if (sock->passcred && !sk->protinfo.af_unix.addr)
unix_autobind(sock);
+ /*
+ * This should FIX the local DoS attack about sending msgs > sk->sndbuf
+ * Never had time to look the optimization code used for unix_stream,
+ * so, if the buffer we are going to send is > sysctl_wmem_max, just
+ * report an error (Drop the `packet').
+ */
+
+ if (len > sk->sndbuf - 16)
+ return -EMSGSIZE;
+
skb = sock_alloc_send_skb(sk, len, 0, msg->msg_flags&MSG_DONTWAIT, &err);
if (skb==NULL)
goto out;
--GvXjxJ+pjyke8COw--
(4961976) ------------------------------------------
4970826 2000-04-04 07:19 /66 rader/ Postmaster
Mottagare: Bugtraq (import) <10429>
Ärende: Re: Local Denial-of-Service attack against Linux
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000403230024.A286@armageddon.libero.it>
Date: Mon, 3 Apr 2000 23:00:24 +0200
Reply-To: Gigi Sullivan <sullivan@SIKUREZZA.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Gigi Sullivan <sullivan@SIKUREZZA.ORG>
X-To: Jeff Dafoe <jeffd@EVCOM.NET>
X-cc: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.3.96.1000402110433.6983B-100000@zothommog.evcom.net>
from Jeff Dafoe on Sun, Apr 02, 2000 at 11:10:29AM -0400
Aiee :)
Hello!
>
> The issues causing this DoS are apparently more complex than it
> may appear, I have followed the discussion in the Linux kernel mailing
> list. There is a patch for the exploit in 2.2.15pre-16 and it is a
> noteworthy amount of code.
>
> Jeff
Well, as I said in my previous post, I did the patch, but I said
that I'm not sure if my patch is the `right way to do it'.
However, I downloaded pre-patch-2.2.15pre-16 from
ftp.kernel.org/pub/linux/kernel/people/alan and this was the
patch I found:
diff -u --new-file --recursive --exclude-from
/usr/src/exclude linux.vanilla /net/unix/af_unix.c
linux.15pre16/net/unix/af_unix.c
--- linux.vanilla/net/unix/af_unix.c Sat Aug 14 02:27:46 1999
+++ linux.15pre16/net/unix/af_unix.c Tue Mar 28 17:27:52 2000
@@ -969,6 +969,10 @@
return -ENOTCONN;
}
+ err = -EMSGSIZE;
+ if (len > sk->sndbuf)
+ goto out;
+
if (sock->passcred && !sk->protinfo.af_unix.addr)
unix_autobind(sock);
And this isn't so different from my one (except the fact that I
check len > sk->sndbuff - 16, thus limiting the sending buffer.
[so in that I was wrong]).
Thx a lot!
bye bye
-- gg sullivan
--
Lorenzo Cavallaro `Gigi Sullivan' <sullivan@sikurezza.org>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
(4970826) ------------------------------------------(Ombruten)