[v2] core: dev: don't call BUG() on bad input

Message ID	1297694579-23611-1-git-send-email-segoon@openwall.com
State	Rejected, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:from:to:cc:subject:date:message-id:x-mailer; b=fd9tCWAKiJd7F8yFDsEcg8/ENa7NWmme6n6TAjxstOonKor2lFe0mkS/XYbP/6cPDv 4GcOXUJbWrQziLPBVjn57I+lALMHW5b3GhZG+4EW5rYrUn0DENvWqEb9M8AJxWdoaVAO y4qr127Pk8dkMVqh7AaQAI/cXiDUmeJUUaZYk= From: Vasiliy Kulikov <segoon@openwall.com> To: linux-kernel@vger.kernel.org Cc: "David S. Miller" <davem@davemloft.net>, Eric Dumazet <eric.dumazet@gmail.com>, Tom Herbert <therbert@google.com>, Changli Gao <xiaosuo@gmail.com>, Jesse Gross <jesse@nicira.com>, netdev@vger.kernel.org Subject: [PATCH v2] core: dev: don't call BUG() on bad input Date: Mon, 14 Feb 2011 17:42:58 +0300 Message-Id: <1297694579-23611-1-git-send-email-segoon@openwall.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk

Vasiliy Kulikov Feb. 14, 2011, 2:42 p.m. UTC

alloc_netdev() may be called with too long name (more that IFNAMSIZ bytes).
Currently this leads to BUG().  Other insane inputs (bad txqs, rxqs) and
even OOM don't lead to BUG().  Made alloc_netdev() return NULL, like on
other errors.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
 Compile tested.
 v2 - fixed checkpatch warning - space before "\n".

 net/core/dev.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

Alexey Dobriyan Feb. 14, 2011, 3:16 p.m. UTC | #1

On Mon, Feb 14, 2011 at 4:42 PM, Vasiliy Kulikov <segoon@openwall.com> wrote:
> alloc_netdev() may be called with too long name (more that IFNAMSIZ bytes).
> Currently this leads to BUG().  Other insane inputs (bad txqs, rxqs) and
> even OOM don't lead to BUG().  Made alloc_netdev() return NULL, like on
> other errors.

> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -5761,7 +5761,10 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
>        size_t alloc_size;
>        struct net_device *p;
>
> -       BUG_ON(strlen(name) >= sizeof(dev->name));
> +       if (strnlen(name, sizeof(dev->name)) >= sizeof(dev->name)) {
> +               pr_err("alloc_netdev: Too long device name\n");
> +               return NULL;
> +       }

Netdevice name isn't some random junk you get from userspace, so BUG is fine.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Vasiliy Kulikov Feb. 14, 2011, 3:23 p.m. UTC | #2

Alexey,

On Mon, Feb 14, 2011 at 17:16 +0200, Alexey Dobriyan wrote:
> On Mon, Feb 14, 2011 at 4:42 PM, Vasiliy Kulikov <segoon@openwall.com> wrote:
> > alloc_netdev() may be called with too long name (more that IFNAMSIZ bytes).
> > Currently this leads to BUG().  Other insane inputs (bad txqs, rxqs) and
> > even OOM don't lead to BUG().  Made alloc_netdev() return NULL, like on
> > other errors.
> 
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -5761,7 +5761,10 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
> >        size_t alloc_size;
> >        struct net_device *p;
> >
> > -       BUG_ON(strlen(name) >= sizeof(dev->name));
> > +       if (strnlen(name, sizeof(dev->name)) >= sizeof(dev->name)) {
> > +               pr_err("alloc_netdev: Too long device name\n");
> > +               return NULL;
> > +       }
> 
> Netdevice name isn't some random junk you get from userspace, so BUG is fine.

It IS for bluetooth, see net/bluetooth/bnep/core.c: bnep_add_connection() and
net/bluetooth/bnep/sock.c: bnep_sock_ioctl(). 

And txqs, txqs?  Then why do not BUG() on bad txqs too?  Why so
insonsistent?  BUG() should be called in some critical situation, net
device creation is probably not such a thing.


Thanks,

Patrick McHardy Feb. 14, 2011, 3:41 p.m. UTC | #3

Am 14.02.2011 16:16, schrieb Alexey Dobriyan:
> On Mon, Feb 14, 2011 at 4:42 PM, Vasiliy Kulikov <segoon@openwall.com> wrote:
>> alloc_netdev() may be called with too long name (more that IFNAMSIZ bytes).
>> Currently this leads to BUG().  Other insane inputs (bad txqs, rxqs) and
>> even OOM don't lead to BUG().  Made alloc_netdev() return NULL, like on
>> other errors.
> 
>> --- a/net/core/dev.c
>> +++ b/net/core/dev.c
>> @@ -5761,7 +5761,10 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
>>        size_t alloc_size;
>>        struct net_device *p;
>>
>> -       BUG_ON(strlen(name) >= sizeof(dev->name));
>> +       if (strnlen(name, sizeof(dev->name)) >= sizeof(dev->name)) {
>> +               pr_err("alloc_netdev: Too long device name\n");
>> +               return NULL;
>> +       }
> 
> Netdevice name isn't some random junk you get from userspace, so BUG is fine.

I agree, misuse of kernel APIs is not something we need to catch
verbosely.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Miller Feb. 14, 2011, 7:25 p.m. UTC | #4

From: Vasiliy Kulikov <segoon@openwall.com>
Date: Mon, 14 Feb 2011 18:23:10 +0300

> On Mon, Feb 14, 2011 at 17:16 +0200, Alexey Dobriyan wrote:
>> Netdevice name isn't some random junk you get from userspace, so BUG is fine.
> 
> It IS for bluetooth, see net/bluetooth/bnep/core.c: bnep_add_connection() and
> net/bluetooth/bnep/sock.c: bnep_sock_ioctl(). 

If bluetooth wants to allow something so foolish, then it's bluetooth's
responsibility to sanity check the arguments before blinding passing
them into kernel APIs which expect sane inputs.

I'm not applying this.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Tom Herbert Feb. 14, 2011, 7:33 p.m. UTC | #5

On Mon, Feb 14, 2011 at 11:25 AM, David Miller <davem@davemloft.net> wrote:
> From: Vasiliy Kulikov <segoon@openwall.com>
> Date: Mon, 14 Feb 2011 18:23:10 +0300
>
>> On Mon, Feb 14, 2011 at 17:16 +0200, Alexey Dobriyan wrote:
>>> Netdevice name isn't some random junk you get from userspace, so BUG is fine.
>>
>> It IS for bluetooth, see net/bluetooth/bnep/core.c: bnep_add_connection() and
>> net/bluetooth/bnep/sock.c: bnep_sock_ioctl().
>
> If bluetooth wants to allow something so foolish, then it's bluetooth's
> responsibility to sanity check the arguments before blinding passing
> them into kernel APIs which expect sane inputs.
>
> I'm not applying this.
>

Changing to BUG_ON(txqs < 1) and BUG_ON(rxqs < 1) does make sense I think.

Tom
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Miller Feb. 14, 2011, 7:36 p.m. UTC | #6

From: Tom Herbert <therbert@google.com>
Date: Mon, 14 Feb 2011 11:33:29 -0800

> On Mon, Feb 14, 2011 at 11:25 AM, David Miller <davem@davemloft.net> wrote:
>> From: Vasiliy Kulikov <segoon@openwall.com>
>> Date: Mon, 14 Feb 2011 18:23:10 +0300
>>
>>> On Mon, Feb 14, 2011 at 17:16 +0200, Alexey Dobriyan wrote:
>>>> Netdevice name isn't some random junk you get from userspace, so BUG is fine.
>>>
>>> It IS for bluetooth, see net/bluetooth/bnep/core.c: bnep_add_connection() and
>>> net/bluetooth/bnep/sock.c: bnep_sock_ioctl().
>>
>> If bluetooth wants to allow something so foolish, then it's bluetooth's
>> responsibility to sanity check the arguments before blinding passing
>> them into kernel APIs which expect sane inputs.
>>
>> I'm not applying this.
>>
> 
> Changing to BUG_ON(txqs < 1) and BUG_ON(rxqs < 1) does make sense I think.

Sure.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[v2] core: dev: don't call BUG() on bad input

Commit Message

Comments

Patch