From linux-kernel  Fri Apr 16 09:29:18 1999
From: Richard Guenther <zxmpm11 () student ! uni-tuebingen ! de>
Date: Fri, 16 Apr 1999 09:29:18 +0000
To: linux-kernel
Subject: Serious BUG in scm_send() [NET] causes total freeze
X-MARC-Message: https://marc.info/?l=linux-kernel&m=92425624802727

Hi!

A bug in scm_send() (probably, I could not see the actual bug from
reading the source) causes Linux 2.2.5 to totally freeze.
To trigger the bug just send a msg to a socket with some scm
attached but the msg_controllen set too high (stupid bug by me...),
source is attached below.

From reading the source, I think what could cause problems (may be
not in this case) is _negative_ controllen (what does copy_from_user
do with negative length parameter?? if it just takes it unsigned
it would happily overwrite our stack, provided the user mem is
readable) and _negative_ cmsg_len (you could construct endless
loops in the cmsg array (maybe I'm seeing this, but it is unlikely
to happen with just garbage after the first cmsg...)).

Well, hope this helps.

btw, I dont know how 2.0.xx behaves - so Alan, you may want to check
this.

Richard.



#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/sem.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <stdio.h>


void main(void)
{
  struct sockaddr_un addr;
  char data[128];
  int rdata[128];
  struct cmsghdr *rights = (struct cmsghdr *)rdata;
  struct msghdr msg;
  struct iovec vdata;
  int s[2], res;

  if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1) {
    perror("socketpair");
    exit(-1);
  }

  rights->cmsg_level = AF_UNIX;
  rights->cmsg_type = SCM_RIGHTS;
  rights->cmsg_len = sizeof(struct cmsghdr)+4;
  rdata[3] = 1;

  vdata.iov_base = data;
  vdata.iov_len = 20;
  msg.msg_name = NULL;
  msg.msg_namelen = 0;
  msg.msg_iov = &vdata;
  msg.msg_iovlen = 1;
  msg.msg_control = rdata;
  msg.msg_controllen = sizeof(rdata);
  // msg.msg_controllen = rights->cmsg_len;
  msg.msg_flags = 0;
  if (sendmsg(s[0], &msg, 0) == -1) {
    perror("sendmsg");
  }

  close(s[0]);
  close(s[1]);
}



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/