Re: Recent full disclosure post - Local DOS



On 01/28/2011 01:27 PM, John Baldwin wrote:
On Friday, January 28, 2011 12:38:22 pm Tom Judge wrote:
On 01/28/2011 11:09 AM, John Baldwin wrote:
On Friday, January 28, 2011 11:08:37 am Tom Judge wrote:
On 01/28/2011 08:29 AM, Tom Judge wrote:

Has anyone looked at this:

[Full-disclosure] FreeBSD local denial of service - forced reboot

http://lists.grok.org.uk/pipermail/full-disclosure/2011-
January/078836.html

<SNIP>

Hi John,

I can't repeat this with the code you sent. I tried this in a while (1)
loop and had 4 instances running without issue.

Humm. That is the only setsockopt for TCP that can trigger a call to
tcp_output().


Hi John,

I have just updated my test box to r218019.

Without your patch the issue is still present.

With your patch it seems to be fine (It passed 100 iterations of the
code in the post).

Tom


I have a possible fix I'm just not sure if it is completely correct:

Index: tcp_usrreq.c
===================================================================
--- tcp_usrreq.c (revision 218018)
+++ tcp_usrreq.c (working copy)
@@ -1330,7 +1330,8 @@ tcp_ctloutput(struct socket *so, struct sockopt *s
tp->t_flags |= TF_NOPUSH;
else {
tp->t_flags &= ~TF_NOPUSH;
- error = tcp_output(tp);
+ if (TCPS_HAVEESTABLISHED(tp->t_state))
+ error = tcp_output(tp);
}
INP_WUNLOCK(inp);
break;



--
TJU13-ARIN
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • [x86_64 MCE] [RFC] mce.c race condition (or: when evil hacks are the only options)
    ... The race requires a large number of machine checks to be occurring in order ... In the normal case, the rest would get cleaned up by the subsequent loop, ... fact is waiting for all CPUs to be done, which could take up to a tick -- or ... I've come up with a patch that does this, ...
    (Linux-Kernel)
  • Re: [PATCH 1/1] (v3) SYSVIPC - Fix the ipc structures initialization
    ... a simple testcase is concurrently running an infinite loop on ... So idr_get_newis inserting a pointer into the ... This patch moves the spin_lock_initbefore the call to ipc_addid. ... return err; ...
    (Linux-Kernel)
  • Re: [PATCH 1/1] (v3) SYSVIPC - Fix the ipc structures initialization
    ... a simple testcase is concurrently running an infinite loop on ... So idr_get_newis inserting a pointer into the ... This patch moves the spin_lock_initbefore the call to ipc_addid. ... return err; ...
    (Linux-Kernel)
  • Re: Problem with inotify
    ... > Thanks for writing that patch, ... > inotify-test before unmounting results in a clean unmount. ... My analysis was that there is an infinite loop and this is what ... > loop when unmounting with inotify watches active. ...
    (Linux-Kernel)
  • Re: 2.6.0-test5 vs. Japanese keyboards [3]
    ... "Andries Brouwer" wrote: ... Do not repeat the complaining because complaining ... > this is the correct patch, sooner or later somebody will look at it. ...
    (Linux-Kernel)