Hi,
The following code instantly freezes my all of my machines running
any of the beavers:
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
int main(void) {
char buf[8192];
int fd, chars;
fd = open("/proc/net/tcp", O_RDONLY);
chars = read(fd, buf, sizeof(buf));
lseek(fd, -chars+1, SEEK_CUR);
close(fd);
return 0;
}
It only happens when I lseek() anywhere from -chars+1 to -chars+150
inclusive (in other words, somewhere on the first line). I do not
need root to abuse this, which makes it an excellent DoS attack for
anyone with an unprivileged account.
I do get an oops, but as I do not have a serial console I'd rather
not transcribe it to paper and post it unless it's crucial to
pinpointing the bug.
--
Tore Anderson
--- seq_file.c.org 2003-11-28 11:12:28.000000000 +0530
+++ seq_file.c 2003-11-28 11:44:44.968883784 +0530
@@ -213,6 +213,9 @@
switch (origin) {
case 1:
offset += file->f_pos;
+ if(offset >= 0)
+ retval = file->f_pos = offset;
+ break;
case 0:
if (offset < 0)
break;
Tore Anderson <[email protected]> writes:
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <stdio.h>
>
> int main(void) {
> char buf[8192];
> int fd, chars;
> fd = open("/proc/net/tcp", O_RDONLY);
> chars = read(fd, buf, sizeof(buf));
> lseek(fd, -chars+1, SEEK_CUR);
> close(fd);
> return 0;
> }
This seems to need initialization of st->state in tcp_seq_start().
tcp_seq_stop() is run with previous st->state, so it call the unneeded
unlock etc.
net/ipv4/tcp_ipv4.c | 1 +
1 files changed, 1 insertion(+)
diff -puN net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix net/ipv4/tcp_ipv4.c
--- linux-2.6.0-test11/net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix 2003-11-29 00:52:15.000000000 +0900
+++ linux-2.6.0-test11-hirofumi/net/ipv4/tcp_ipv4.c 2003-11-29 00:52:28.000000000 +0900
@@ -2356,6 +2356,7 @@ static void *tcp_get_idx(struct seq_file
static void *tcp_seq_start(struct seq_file *seq, loff_t *pos)
{
struct tcp_iter_state* st = seq->private;
+ st->state = TCP_SEQ_STATE_LISTENING;
st->num = 0;
return *pos ? tcp_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
}
_
--
OGAWA Hirofumi <[email protected]>
On Sat, 29 Nov 2003 02:12:38 +0900
OGAWA Hirofumi <[email protected]> wrote:
> This seems to need initialization of st->state in tcp_seq_start().
> tcp_seq_stop() is run with previous st->state, so it call the unneeded
> unlock etc.
Patch applied, arigato Hirofumi-san.