Re: LSF and SOCK_PACKET

Andi Kleen (ak@muc.de)
Thu, 15 Oct 1998 20:56:20 +0200


On Thu, Oct 15, 1998 at 07:47:20PM +0200, kuznet@ms2.inr.ac.ru wrote:
> Hello!
>
> > Do I miss something again, or do sk_attach_filter/sk_chk_filter really
> > not bother to copy the filter instructions from user space to kernel space
> > before checking it?
>
> No, you are right. Generally, sk_filter.c is too direct replica
> from bpf. This code was good for bsd, where it was accessible
> only by superuser...
>
> Before allowing to use it to all users it needs careful
> line-by-line checking (especially arithmetic overflows!).
> F.e. now:
>
> - it contains invalid unsigned comparisons.
> - it has instanses of "long", where "u32" must be used
> and does not work on 64bit archs.
> - it gives access to small negative offsets (-4,-2,-1),
> which is not dangerous, but forces to suspect more bugs.

More bugs:
- There are races while removing/setting the new filter (the new filter
can be used with the old sk->filter size, the old filter is still available
to interrupts after it is freed etc. etc.). The same in
SO_DETACH_FILTER (the filter is freed first then sk->filter is cleared)

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/