2003-11-27 23:05:44

by Tore Anderson

[permalink] [raw]
Subject: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp


Hi,

The following code instantly freezes my all of my machines running
any of the beavers:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>

int main(void) {
char buf[8192];
int fd, chars;
fd = open("/proc/net/tcp", O_RDONLY);
chars = read(fd, buf, sizeof(buf));
lseek(fd, -chars+1, SEEK_CUR);
close(fd);
return 0;
}

It only happens when I lseek() anywhere from -chars+1 to -chars+150
inclusive (in other words, somewhere on the first line). I do not
need root to abuse this, which makes it an excellent DoS attack for
anyone with an unprivileged account.

I do get an oops, but as I do not have a serial console I'd rather
not transcribe it to paper and post it unless it's crucial to
pinpointing the bug.

--
Tore Anderson


2003-11-28 06:16:16

by Raj

[permalink] [raw]
Subject: Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp

--- seq_file.c.org 2003-11-28 11:12:28.000000000 +0530
+++ seq_file.c 2003-11-28 11:44:44.968883784 +0530
@@ -213,6 +213,9 @@
switch (origin) {
case 1:
offset += file->f_pos;
+ if(offset >= 0)
+ retval = file->f_pos = offset;
+ break;
case 0:
if (offset < 0)
break;


Attachments:
lseek_crash.patch (294.00 B)

2003-11-28 17:13:30

by OGAWA Hirofumi

[permalink] [raw]
Subject: Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp

Tore Anderson <[email protected]> writes:

> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <stdio.h>
>
> int main(void) {
> char buf[8192];
> int fd, chars;
> fd = open("/proc/net/tcp", O_RDONLY);
> chars = read(fd, buf, sizeof(buf));
> lseek(fd, -chars+1, SEEK_CUR);
> close(fd);
> return 0;
> }

This seems to need initialization of st->state in tcp_seq_start().
tcp_seq_stop() is run with previous st->state, so it call the unneeded
unlock etc.

net/ipv4/tcp_ipv4.c | 1 +
1 files changed, 1 insertion(+)

diff -puN net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix net/ipv4/tcp_ipv4.c
--- linux-2.6.0-test11/net/ipv4/tcp_ipv4.c~tcp_seq-oops-fix 2003-11-29 00:52:15.000000000 +0900
+++ linux-2.6.0-test11-hirofumi/net/ipv4/tcp_ipv4.c 2003-11-29 00:52:28.000000000 +0900
@@ -2356,6 +2356,7 @@ static void *tcp_get_idx(struct seq_file
static void *tcp_seq_start(struct seq_file *seq, loff_t *pos)
{
struct tcp_iter_state* st = seq->private;
+ st->state = TCP_SEQ_STATE_LISTENING;
st->num = 0;
return *pos ? tcp_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
}

_
--
OGAWA Hirofumi <[email protected]>

2003-11-30 04:43:23

by David Miller

[permalink] [raw]
Subject: Re: [BUG] scheduling while atomic when lseek()ing in /proc/net/tcp

On Sat, 29 Nov 2003 02:12:38 +0900
OGAWA Hirofumi <[email protected]> wrote:

> This seems to need initialization of st->state in tcp_seq_start().
> tcp_seq_stop() is run with previous st->state, so it call the unneeded
> unlock etc.

Patch applied, arigato Hirofumi-san.