-----Original Message----- From: Josh Hunt [mailto:joshhun...@gmail.com] Sent: Tuesday, November 12, 2013 10:25 PM To: David Miller Cc: jjo...@suse.com; LKML; Venkat Venkatsubra; net...@vger.kernel.org Subject: Re: [PATCH] rds: Error on offset mismatch if not loopback
On Tue, Nov 12, 2013 at 10:22 PM, Josh Hunt <joshhun...@gmail.com> wrote: > On Sat, Sep 22, 2012 at 2:25 PM, David Miller <da...@davemloft.net> wrote: >> >> From: John Jolly <jjo...@suse.com> >> Date: Fri, 21 Sep 2012 15:32:40 -0600 >> >> > Attempting an rds connection from the IP address of an IPoIB >> > interface to itself causes a kernel panic due to a BUG_ON() being >> > triggered. >> > Making the test less strict allows rds-ping to work without >> > crashing the machine. >> > >> > A local unprivileged user could use this flaw to crash the system. >> > >> > Signed-off-by: John Jolly <jjo...@suse.com> >> >> Besides the questions being asked of you by Venkat Venkatsubra, this >> patch has another issue. >> >> It has been completely corrupted by your email client, it has turned >> all TAB characters into spaces, making the patch useless. >> >> Please learn how to send a patch unmolested in the body of your >> email. Test it by emailing the patch to yourself, and verifying that >> you can in fact apply the patch you receive in that email. >> Then, and only then, should you consider making a new submission of >> this patch. >> >> Use Documentation/email-clients.txt for guidance. >> -- >> To unsubscribe from this list: send the line "unsubscribe >> linux-kernel" in the body of a message to majord...@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> Please read the FAQ at http://www.tux.org/lkml/ > > > I think this issue was lost in the shuffle. It appears that redhat, > ubuntu, and oracle are maintaining local patches to resolve this: > > https://oss.oracle.com/git/?p=redpatch.git;a=commit;h=c7b6a0a1d8d63685 > 2be130fa15fa8be10d4704e8 > https://bugzilla.redhat.com/show_bug.cgi?id=822754 > http://ubuntu.5.x6.nabble.com/CVE-2012-2372-RDS-local-ping-DOS-td49853 > 88.html > > Given that Oracle has applied it I'll make the assumption that > Venkat's question was answered at some point. > > David - I can resubmit the patch with the proper signed-off-by and > formatting if you are willing to apply it unless John wants to try > again. I think it's time this got upstream. > > -- > Josh Ugh.. hopefully resending with all the html crap removed... -- Josh Hi Josh, No, I still didn't get an answer for how "off" could be non-zero in case of rds-ping to hit BUG_ON(off % RDS_FRAG_SIZE). Because, rds-ping uses zero byte messages to ping. If you have a test case that reproduces the kernel panic I can try it out and see how that can happen. The Oracle's internal code I checked doesn't have that patch applied. Venkat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
