|
|
978e96 |
commit 2eecc8afd02d8c65cf098cbae4de87f332dc21bd
|
|
|
978e96 |
Author: Florian Weimer <fweimer@redhat.com>
|
|
|
978e96 |
Date: Mon Nov 9 12:48:41 2015 +0100
|
|
|
978e96 |
|
|
|
978e96 |
Terminate process on invalid netlink response from kernel [BZ #12926]
|
|
|
978e96 |
|
|
|
978e96 |
The recvmsg system calls for netlink sockets have been particularly
|
|
|
978e96 |
prone to picking up unrelated data after a file descriptor race
|
|
|
978e96 |
(where the descriptor is closed and reopened concurrently in a
|
|
|
978e96 |
multi-threaded process, as the result of a file descriptor
|
|
|
978e96 |
management issue elsewhere). This commit adds additional error
|
|
|
978e96 |
checking and aborts the process if a datagram of unexpected length
|
|
|
978e96 |
(without the netlink header) is received, or an error code which
|
|
|
978e96 |
cannot happen due to the way the netlink socket is used.
|
|
|
978e96 |
|
|
|
978e96 |
[BZ #12926]
|
|
|
978e96 |
Terminate process on invalid netlink response.
|
|
|
978e96 |
* sysdeps/unix/sysv/linux/netlinkaccess.h
|
|
|
978e96 |
(__netlink_assert_response): Declare.
|
|
|
978e96 |
* sysdeps/unix/sysv/linux/netlink_assert_response.c: New file.
|
|
|
978e96 |
* sysdeps/unix/sysv/linux/Makefile [$(subdir) == inet]
|
|
|
978e96 |
(sysdep_routines): Add netlink_assert_response.
|
|
|
978e96 |
* sysdeps/unix/sysv/linux/check_native.c (__check_native): Call
|
|
|
978e96 |
__netlink_assert_response.
|
|
|
978e96 |
* sysdeps/unix/sysv/linux/check_pf.c (make_request): Likewise.
|
|
|
978e96 |
* sysdeps/unix/sysv/linux/ifaddrs.c (__netlink_request): Likewise.
|
|
|
978e96 |
* sysdeps/unix/sysv/linux/Versions (GLIBC_PRIVATE): Add
|
|
|
978e96 |
__netlink_assert_response.
|
|
|
978e96 |
|
|
|
978e96 |
Conflicts:
|
|
|
978e96 |
sysdeps/unix/sysv/linux/check_pf.c
|
|
|
978e96 |
Upstream commit fda389c8f0311dd5786be91a7b54b9f935fcafa1
|
|
|
978e96 |
("Fix infinite loop in check_pf (BZ #12926)") was not backported
|
|
|
978e96 |
before and is superseded by the upstream commit backported here.
|
|
|
978e96 |
sysdeps/unix/sysv/linux/netlinkaccess.h
|
|
|
978e96 |
Missing backport of e054f494306530720114b321b3d97ca2f397cbbb
|
|
|
978e96 |
("Add #include <stdint.h> for uint[32|64]_t usage (except
|
|
|
978e96 |
installed headers)").
|
|
|
978e96 |
|
|
|
978e96 |
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
|
|
|
978e96 |
index 95cff0ef651e74a9..bb69b985e6df7fb1 100644
|
|
|
978e96 |
--- a/sysdeps/unix/sysv/linux/Makefile
|
|
|
978e96 |
+++ b/sysdeps/unix/sysv/linux/Makefile
|
|
|
978e96 |
@@ -114,6 +114,7 @@ sysdep_headers += netinet/if_fddi.h netinet/if_tr.h \
|
|
|
978e96 |
netipx/ipx.h netash/ash.h netax25/ax25.h netatalk/at.h \
|
|
|
978e96 |
netrom/netrom.h netpacket/packet.h netrose/rose.h \
|
|
|
978e96 |
neteconet/ec.h netiucv/iucv.h
|
|
|
978e96 |
+sysdep_routines += netlink_assert_response
|
|
|
978e96 |
endif
|
|
|
978e96 |
|
|
|
978e96 |
# Don't compile the ctype glue code, since there is no old non-GNU C library.
|
|
|
978e96 |
diff --git a/sysdeps/unix/sysv/linux/Versions b/sysdeps/unix/sysv/linux/Versions
|
|
|
978e96 |
index 16bb28159099c5fa..202ffccc2908ddcc 100644
|
|
|
978e96 |
--- a/sysdeps/unix/sysv/linux/Versions
|
|
|
978e96 |
+++ b/sysdeps/unix/sysv/linux/Versions
|
|
|
978e96 |
@@ -169,5 +169,7 @@ libc {
|
|
|
978e96 |
GLIBC_PRIVATE {
|
|
|
978e96 |
# functions used in other libraries
|
|
|
978e96 |
__syscall_rt_sigqueueinfo;
|
|
|
978e96 |
+ # functions used by nscd
|
|
|
978e96 |
+ __netlink_assert_response;
|
|
|
978e96 |
}
|
|
|
978e96 |
}
|
|
|
978e96 |
diff --git a/sysdeps/unix/sysv/linux/check_native.c b/sysdeps/unix/sysv/linux/check_native.c
|
|
|
978e96 |
index 4968a07a0f8c7932..319b46762aeaf3b6 100644
|
|
|
978e96 |
--- a/sysdeps/unix/sysv/linux/check_native.c
|
|
|
978e96 |
+++ b/sysdeps/unix/sysv/linux/check_native.c
|
|
|
978e96 |
@@ -35,6 +35,7 @@
|
|
|
978e96 |
|
|
|
978e96 |
#include <not-cancel.h>
|
|
|
978e96 |
|
|
|
978e96 |
+#include "netlinkaccess.h"
|
|
|
978e96 |
|
|
|
978e96 |
void
|
|
|
978e96 |
__check_native (uint32_t a1_index, int *a1_native,
|
|
|
978e96 |
@@ -117,6 +118,7 @@ __check_native (uint32_t a1_index, int *a1_native,
|
|
|
978e96 |
};
|
|
|
978e96 |
|
|
|
978e96 |
ssize_t read_len = TEMP_FAILURE_RETRY (__recvmsg (fd, &msg, 0));
|
|
|
978e96 |
+ __netlink_assert_response (fd, read_len);
|
|
|
978e96 |
if (read_len < 0)
|
|
|
978e96 |
goto out_fail;
|
|
|
978e96 |
|
|
|
978e96 |
diff --git a/sysdeps/unix/sysv/linux/check_pf.c b/sysdeps/unix/sysv/linux/check_pf.c
|
|
|
978e96 |
index d33e1b497d8ba9c7..6b28a735a14f1498 100644
|
|
|
978e96 |
--- a/sysdeps/unix/sysv/linux/check_pf.c
|
|
|
978e96 |
+++ b/sysdeps/unix/sysv/linux/check_pf.c
|
|
|
978e96 |
@@ -36,6 +36,7 @@
|
|
|
978e96 |
#include <atomic.h>
|
|
|
978e96 |
#include <nscd/nscd-client.h>
|
|
|
978e96 |
|
|
|
978e96 |
+#include "netlinkaccess.h"
|
|
|
978e96 |
|
|
|
978e96 |
#ifndef IFA_F_HOMEADDRESS
|
|
|
978e96 |
# define IFA_F_HOMEADDRESS 0
|
|
|
978e96 |
@@ -178,6 +179,7 @@ make_request (int fd, pid_t pid)
|
|
|
978e96 |
};
|
|
|
978e96 |
|
|
|
978e96 |
ssize_t read_len = TEMP_FAILURE_RETRY (__recvmsg (fd, &msg, 0));
|
|
|
978e96 |
+ __netlink_assert_response (fd, read_len);
|
|
|
978e96 |
if (read_len < 0)
|
|
|
978e96 |
goto out_fail;
|
|
|
978e96 |
|
|
|
978e96 |
diff --git a/sysdeps/unix/sysv/linux/ifaddrs.c b/sysdeps/unix/sysv/linux/ifaddrs.c
|
|
|
978e96 |
index 179653103e057b79..c87e594e30a314fe 100644
|
|
|
978e96 |
--- a/sysdeps/unix/sysv/linux/ifaddrs.c
|
|
|
978e96 |
+++ b/sysdeps/unix/sysv/linux/ifaddrs.c
|
|
|
978e96 |
@@ -169,6 +169,7 @@ __netlink_request (struct netlink_handle *h, int type)
|
|
|
978e96 |
};
|
|
|
978e96 |
|
|
|
978e96 |
read_len = TEMP_FAILURE_RETRY (__recvmsg (h->fd, &msg, 0));
|
|
|
978e96 |
+ __netlink_assert_response (h->fd, read_len);
|
|
|
978e96 |
if (read_len < 0)
|
|
|
978e96 |
goto out_fail;
|
|
|
978e96 |
|
|
|
978e96 |
diff --git a/sysdeps/unix/sysv/linux/netlink_assert_response.c b/sysdeps/unix/sysv/linux/netlink_assert_response.c
|
|
|
978e96 |
new file mode 100644
|
|
|
978e96 |
index 0000000000000000..b570e93db840fec1
|
|
|
978e96 |
--- /dev/null
|
|
|
978e96 |
+++ b/sysdeps/unix/sysv/linux/netlink_assert_response.c
|
|
|
978e96 |
@@ -0,0 +1,106 @@
|
|
|
978e96 |
+/* Check recvmsg results for netlink sockets.
|
|
|
978e96 |
+ Copyright (C) 2015 Free Software Foundation, Inc.
|
|
|
978e96 |
+ This file is part of the GNU C Library.
|
|
|
978e96 |
+
|
|
|
978e96 |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
978e96 |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
978e96 |
+ License as published by the Free Software Foundation; either
|
|
|
978e96 |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
978e96 |
+
|
|
|
978e96 |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
978e96 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
978e96 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
978e96 |
+ Lesser General Public License for more details.
|
|
|
978e96 |
+
|
|
|
978e96 |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
978e96 |
+ License along with the GNU C Library; if not, see
|
|
|
978e96 |
+ <http://www.gnu.org/licenses/>. */
|
|
|
978e96 |
+
|
|
|
978e96 |
+#include <errno.h>
|
|
|
978e96 |
+#include <fcntl.h>
|
|
|
978e96 |
+#include <stdio.h>
|
|
|
978e96 |
+#include <sys/socket.h>
|
|
|
978e96 |
+
|
|
|
978e96 |
+#include "netlinkaccess.h"
|
|
|
978e96 |
+
|
|
|
978e96 |
+static int
|
|
|
978e96 |
+get_address_family (int fd)
|
|
|
978e96 |
+{
|
|
|
978e96 |
+ struct sockaddr_storage sa;
|
|
|
978e96 |
+ socklen_t sa_len = sizeof (sa);
|
|
|
978e96 |
+ if (__getsockname (fd, (struct sockaddr *) &sa, &sa_len) < 0)
|
|
|
978e96 |
+ return -1;
|
|
|
978e96 |
+ /* Check that the socket family number is preserved despite in-band
|
|
|
978e96 |
+ signaling. */
|
|
|
978e96 |
+ _Static_assert (sizeof (sa.ss_family) < sizeof (int), "address family size");
|
|
|
978e96 |
+ _Static_assert (0 < (__typeof__ (sa.ss_family)) -1,
|
|
|
978e96 |
+ "address family unsigned");
|
|
|
978e96 |
+ return sa.ss_family;
|
|
|
978e96 |
+}
|
|
|
978e96 |
+
|
|
|
978e96 |
+void
|
|
|
978e96 |
+internal_function
|
|
|
978e96 |
+__netlink_assert_response (int fd, ssize_t result)
|
|
|
978e96 |
+{
|
|
|
978e96 |
+ if (result < 0)
|
|
|
978e96 |
+ {
|
|
|
978e96 |
+ /* Check if the error is unexpected. */
|
|
|
978e96 |
+ bool terminate = false;
|
|
|
978e96 |
+ int error_code = errno;
|
|
|
978e96 |
+ int family = get_address_family (fd);
|
|
|
978e96 |
+ if (family != AF_NETLINK)
|
|
|
978e96 |
+ /* If the address family does not match (or getsockname
|
|
|
978e96 |
+ failed), report the original error. */
|
|
|
978e96 |
+ terminate = true;
|
|
|
978e96 |
+ else if (error_code == EBADF
|
|
|
978e96 |
+ || error_code == ENOTCONN
|
|
|
978e96 |
+ || error_code == ENOTSOCK
|
|
|
978e96 |
+ || error_code == ECONNREFUSED)
|
|
|
978e96 |
+ /* These errors indicate that the descriptor is not a
|
|
|
978e96 |
+ connected socket. */
|
|
|
978e96 |
+ terminate = true;
|
|
|
978e96 |
+ else if (error_code == EAGAIN || error_code == EWOULDBLOCK)
|
|
|
978e96 |
+ {
|
|
|
978e96 |
+ /* The kernel might return EAGAIN for other reasons than a
|
|
|
978e96 |
+ non-blocking socket. But if the socket is not blocking,
|
|
|
978e96 |
+ it is not ours, so report the error. */
|
|
|
978e96 |
+ int mode = __fcntl (fd, F_GETFL, 0);
|
|
|
978e96 |
+ if (mode < 0 || (mode & O_NONBLOCK) != 0)
|
|
|
978e96 |
+ terminate = true;
|
|
|
978e96 |
+ }
|
|
|
978e96 |
+ if (terminate)
|
|
|
978e96 |
+ {
|
|
|
978e96 |
+ char message[200];
|
|
|
978e96 |
+ if (family < 0)
|
|
|
978e96 |
+ __snprintf (message, sizeof (message),
|
|
|
978e96 |
+ "Unexpected error %d on netlink descriptor %d",
|
|
|
978e96 |
+ error_code, fd);
|
|
|
978e96 |
+ else
|
|
|
978e96 |
+ __snprintf (message, sizeof (message),
|
|
|
978e96 |
+ "Unexpected error %d on netlink descriptor %d"
|
|
|
978e96 |
+ " (address family %d)",
|
|
|
978e96 |
+ error_code, fd, family);
|
|
|
978e96 |
+ __libc_fatal (message);
|
|
|
978e96 |
+ }
|
|
|
978e96 |
+ else
|
|
|
978e96 |
+ /* Restore orignal errno value. */
|
|
|
978e96 |
+ __set_errno (error_code);
|
|
|
978e96 |
+ }
|
|
|
978e96 |
+ else if (result < sizeof (struct nlmsghdr))
|
|
|
978e96 |
+ {
|
|
|
978e96 |
+ char message[200];
|
|
|
978e96 |
+ int family = get_address_family (fd);
|
|
|
978e96 |
+ if (family < 0)
|
|
|
978e96 |
+ __snprintf (message, sizeof (message),
|
|
|
978e96 |
+ "Unexpected netlink response of size %zd"
|
|
|
978e96 |
+ " on descriptor %d",
|
|
|
978e96 |
+ result, fd);
|
|
|
978e96 |
+ else
|
|
|
978e96 |
+ __snprintf (message, sizeof (message),
|
|
|
978e96 |
+ "Unexpected netlink response of size %zd"
|
|
|
978e96 |
+ " on descriptor %d (address family %d)",
|
|
|
978e96 |
+ result, fd, family);
|
|
|
978e96 |
+ __libc_fatal (message);
|
|
|
978e96 |
+ }
|
|
|
978e96 |
+}
|
|
|
978e96 |
+libc_hidden_def (__netlink_assert_response)
|
|
|
978e96 |
diff --git a/sysdeps/unix/sysv/linux/netlinkaccess.h b/sysdeps/unix/sysv/linux/netlinkaccess.h
|
|
|
978e96 |
index 6cd8a882640d2486..33dc4e12cd464681 100644
|
|
|
978e96 |
--- a/sysdeps/unix/sysv/linux/netlinkaccess.h
|
|
|
978e96 |
+++ b/sysdeps/unix/sysv/linux/netlinkaccess.h
|
|
|
978e96 |
@@ -18,6 +18,7 @@
|
|
|
978e96 |
#ifndef _NETLINKACCESS_H
|
|
|
978e96 |
#define _NETLINKACCESS_H 1
|
|
|
978e96 |
|
|
|
978e96 |
+#include <sys/types.h>
|
|
|
978e96 |
#include <asm/types.h>
|
|
|
978e96 |
#include <linux/netlink.h>
|
|
|
978e96 |
#include <linux/rtnetlink.h>
|
|
|
978e96 |
@@ -49,5 +50,10 @@ extern void __netlink_close (struct netlink_handle *h);
|
|
|
978e96 |
extern void __netlink_free_handle (struct netlink_handle *h);
|
|
|
978e96 |
extern int __netlink_request (struct netlink_handle *h, int type);
|
|
|
978e96 |
|
|
|
978e96 |
+/* Terminate the process if RESULT is an invalid recvmsg result for
|
|
|
978e96 |
+ the netlink socket FD. */
|
|
|
978e96 |
+void __netlink_assert_response (int fd, ssize_t result)
|
|
|
978e96 |
+ internal_function;
|
|
|
978e96 |
+libc_hidden_proto (__netlink_assert_response)
|
|
|
978e96 |
|
|
|
978e96 |
#endif /* netlinkaccess.h */
|