LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp
@ 2003-11-27 23:05 Tore Anderson
  2003-11-28  6:19 ` Raj
  2003-11-28 17:12 ` OGAWA Hirofumi
  0 siblings, 2 replies; 4+ messages in thread
From: Tore Anderson @ 2003-11-27 23:05 UTC (permalink / raw)
  To: linux-kernel


  Hi,

  The following code instantly freezes my all of my machines running 
 any of the beavers:

    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>
    #include <unistd.h>
    #include <stdio.h>

    int main(void) {
            char buf[8192];
            int fd, chars;
            fd = open("/proc/net/tcp", O_RDONLY);
            chars = read(fd, buf, sizeof(buf));
            lseek(fd, -chars+1, SEEK_CUR);
            close(fd);
            return 0;
    }

  It only happens when I lseek() anywhere from -chars+1 to -chars+150
 inclusive (in other words, somewhere on the first line).  I do not
 need root to abuse this, which makes it an excellent DoS attack for
 anyone with an unprivileged account.

  I do get an oops, but as I do not have a serial console I'd rather
 not transcribe it to paper and post it unless it's crucial to
 pinpointing the bug.

-- 
Tore Anderson


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp
  2003-11-27 23:05 [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp Tore Anderson
@ 2003-11-28  6:19 ` Raj
  2003-11-28 17:12 ` OGAWA Hirofumi
  1 sibling, 0 replies; 4+ messages in thread
From: Raj @ 2003-11-28  6:19 UTC (permalink / raw)
  To: Tore Anderson; +Cc: linux-kernel

[-- Attachment #1: Type: text/plain, Size: 255 bytes --]

Tore Anderson wrote:

>  Hi,
>
>  The following code instantly freezes my all of my machines running 
> any of the beavers:
>  
>
The following patch fixed this, but i am _not_not_not sure whether this 
is the right way to do.
Any ideas folks ?

/Raj





[-- Attachment #2: lseek_crash.patch --]
[-- Type: text/plain, Size: 294 bytes --]

--- seq_file.c.org	2003-11-28 11:12:28.000000000 +0530
+++ seq_file.c	2003-11-28 11:44:44.968883784 +0530
@@ -213,6 +213,9 @@
 	switch (origin) {
 		case 1:
 			offset += file->f_pos;
+			if(offset >= 0)
+				retval = file->f_pos = offset;
+			break;
 		case 0:
 			if (offset < 0)
 				break;

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp
  2003-11-27 23:05 [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp Tore Anderson
  2003-11-28  6:19 ` Raj
@ 2003-11-28 17:12 ` OGAWA Hirofumi
  2003-11-30  4:42   ` David S. Miller
  1 sibling, 1 reply; 4+ messages in thread
From: OGAWA Hirofumi @ 2003-11-28 17:12 UTC (permalink / raw)
  To: Tore Anderson; +Cc: David S. Miller, linux-kernel

Tore Anderson <tore@linpro.no> writes:

>     #include <sys/types.h>
>     #include <sys/stat.h>
>     #include <fcntl.h>
>     #include <unistd.h>
>     #include <stdio.h>
> 
>     int main(void) {
>             char buf[8192];
>             int fd, chars;
>             fd = open("/proc/net/tcp", O_RDONLY);
>             chars = read(fd, buf, sizeof(buf));
>             lseek(fd, -chars+1, SEEK_CUR);
>             close(fd);
>             return 0;
>     }

This seems to need initialization of st->state in tcp_seq_start().
tcp_seq_stop() is run with previous st->state, so it call the unneeded
unlock etc.

 net/ipv4/tcp_ipv4.c |    1 +
 1 files changed, 1 insertion(+)

diff -puN net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix net/ipv4/tcp_ipv4.c
--- linux-2.6.0-test11/net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix	2003-11-29 00:52:15.000000000 +0900
+++ linux-2.6.0-test11-hirofumi/net/ipv4/tcp_ipv4.c	2003-11-29 00:52:28.000000000 +0900
@@ -2356,6 +2356,7 @@ static void *tcp_get_idx(struct seq_file
 static void *tcp_seq_start(struct seq_file *seq, loff_t *pos)
 {
 	struct tcp_iter_state* st = seq->private;
+	st->state = TCP_SEQ_STATE_LISTENING;
 	st->num = 0;
 	return *pos ? tcp_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
 }

_
-- 
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp
  2003-11-28 17:12 ` OGAWA Hirofumi
@ 2003-11-30  4:42   ` David S. Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David S. Miller @ 2003-11-30  4:42 UTC (permalink / raw)
  To: OGAWA Hirofumi; +Cc: tore, linux-kernel

On Sat, 29 Nov 2003 02:12:38 +0900
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> wrote:

> This seems to need initialization of st->state in tcp_seq_start().
> tcp_seq_stop() is run with previous st->state, so it call the unneeded
> unlock etc.

Patch applied, arigato Hirofumi-san.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2003-11-30  4:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-11-27 23:05 [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp Tore Anderson
2003-11-28  6:19 ` Raj
2003-11-28 17:12 ` OGAWA Hirofumi
2003-11-30  4:42   ` David S. Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).