Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Terminate process on invalid netlink response from kernel [BZ #12926]
The recvmsg system calls for netlink sockets have been particularly
prone to picking up unrelated data after a file descriptor race
(where the descriptor is closed and reopened concurrently in a
multi-threaded process, as the result of a file descriptor
management issue elsewhere).  This commit adds additional error
checking and aborts the process if a datagram of unexpected length
(without the netlink header) is received, or an error code which
cannot happen due to the way the netlink socket is used.

	[BZ #12926]
	Terminate process on invalid netlink response.
	* sysdeps/unix/sysv/linux/netlinkaccess.h
	(__netlink_assert_response): Declare.
	* sysdeps/unix/sysv/linux/netlink_assert_response.c: New file.
	* sysdeps/unix/sysv/linux/Makefile [$(subdir) == inet]
	(sysdep_routines): Add netlink_assert_response.
	* sysdeps/unix/sysv/linux/check_native.c (__check_native): Call
	__netlink_assert_response.
	* sysdeps/unix/sysv/linux/check_pf.c (make_request): Likewise.
	* sysdeps/unix/sysv/linux/ifaddrs.c (__netlink_request): Likewise.
	* sysdeps/unix/sysv/linux/Versions (GLIBC_PRIVATE): Add
	__netlink_assert_response.
  • Loading branch information
Florian Weimer committed Nov 9, 2015
1 parent f3d18ef commit 2eecc8a
Show file tree
Hide file tree
Showing 9 changed files with 145 additions and 1 deletion.
16 changes: 16 additions & 0 deletions ChangeLog
@@ -1,3 +1,19 @@
2015-11-09 Florian Weimer <fweimer@redhat.com>

[BZ #12926]
Terminate process on invalid netlink response.
* sysdeps/unix/sysv/linux/netlinkaccess.h
(__netlink_assert_response): Declare.
* sysdeps/unix/sysv/linux/netlink_assert_response.c: New file.
* sysdeps/unix/sysv/linux/Makefile [$(subdir) == inet]
(sysdep_routines): Add netlink_assert_response.
* sysdeps/unix/sysv/linux/check_native.c (__check_native): Call
__netlink_assert_response.
* sysdeps/unix/sysv/linux/check_pf.c (make_request): Likewise.
* sysdeps/unix/sysv/linux/ifaddrs.c (__netlink_request): Likewise.
* sysdeps/unix/sysv/linux/Versions (GLIBC_PRIVATE): Add
__netlink_assert_response.

2015-11-07 H.J. Lu <hongjiu.lu@intel.com>

[BZ #19178]
Expand Down
8 changes: 8 additions & 0 deletions NEWS
Expand Up @@ -11,6 +11,14 @@ Version 2.23
the following new symbols are used: fts64_children, fts64_close,
fts64_open, fts64_read and fts64_set.

* getaddrinfo now detects certain invalid responses on an internal netlink
socket. If such responses are received, an affected process will
terminate with an error message of "Unexpected error <number> on netlink
descriptor <number>" or "Unexpected netlink response of size <number> on
descriptor <number>". The most likely cause for these errors is a
multi-threaded application which erroneously closes and reuses the netlink
file descriptor while it is used by getaddrinfo.

* A defect in the malloc implementation, present since glibc 2.15 (2012) or
glibc 2.10 via --enable-experimental-malloc (2009), could result in the
unnecessary serialization of memory allocation requests across threads.
Expand Down
1 change: 1 addition & 0 deletions sysdeps/unix/sysv/linux/Makefile
Expand Up @@ -151,6 +151,7 @@ sysdep_headers += netinet/if_fddi.h netinet/if_tr.h \
netipx/ipx.h netash/ash.h netax25/ax25.h netatalk/at.h \
netrom/netrom.h netpacket/packet.h netrose/rose.h \
neteconet/ec.h netiucv/iucv.h
sysdep_routines += netlink_assert_response
endif

# Don't compile the ctype glue code, since there is no old non-GNU C library.
Expand Down
2 changes: 2 additions & 0 deletions sysdeps/unix/sysv/linux/Versions
Expand Up @@ -169,5 +169,7 @@ libc {
GLIBC_PRIVATE {
# functions used in other libraries
__syscall_rt_sigqueueinfo;
# functions used by nscd
__netlink_assert_response;
}
}
2 changes: 2 additions & 0 deletions sysdeps/unix/sysv/linux/check_native.c
Expand Up @@ -35,6 +35,7 @@

#include <not-cancel.h>

#include "netlinkaccess.h"

void
__check_native (uint32_t a1_index, int *a1_native,
Expand Down Expand Up @@ -117,6 +118,7 @@ __check_native (uint32_t a1_index, int *a1_native,
};

ssize_t read_len = TEMP_FAILURE_RETRY (__recvmsg (fd, &msg, 0));
__netlink_assert_response (fd, read_len);
if (read_len < 0)
goto out_fail;

Expand Down
4 changes: 3 additions & 1 deletion sysdeps/unix/sysv/linux/check_pf.c
Expand Up @@ -36,6 +36,7 @@
#include <atomic.h>
#include <nscd/nscd-client.h>

#include "netlinkaccess.h"

#ifndef IFA_F_HOMEADDRESS
# define IFA_F_HOMEADDRESS 0
Expand Down Expand Up @@ -164,7 +165,8 @@ make_request (int fd, pid_t pid)
};

ssize_t read_len = TEMP_FAILURE_RETRY (__recvmsg (fd, &msg, 0));
if (read_len <= 0)
__netlink_assert_response (fd, read_len);
if (read_len < 0)
goto out_fail;

if (msg.msg_flags & MSG_TRUNC)
Expand Down
1 change: 1 addition & 0 deletions sysdeps/unix/sysv/linux/ifaddrs.c
Expand Up @@ -168,6 +168,7 @@ __netlink_request (struct netlink_handle *h, int type)
};

read_len = TEMP_FAILURE_RETRY (__recvmsg (h->fd, &msg, 0));
__netlink_assert_response (h->fd, read_len);
if (read_len < 0)
goto out_fail;

Expand Down
106 changes: 106 additions & 0 deletions sysdeps/unix/sysv/linux/netlink_assert_response.c
@@ -0,0 +1,106 @@
/* Check recvmsg results for netlink sockets.
Copyright (C) 2015 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/socket.h>

#include "netlinkaccess.h"

static int
get_address_family (int fd)
{
struct sockaddr_storage sa;
socklen_t sa_len = sizeof (sa);
if (__getsockname (fd, (struct sockaddr *) &sa, &sa_len) < 0)
return -1;
/* Check that the socket family number is preserved despite in-band
signaling. */
_Static_assert (sizeof (sa.ss_family) < sizeof (int), "address family size");
_Static_assert (0 < (__typeof__ (sa.ss_family)) -1,
"address family unsigned");
return sa.ss_family;
}

void
internal_function
__netlink_assert_response (int fd, ssize_t result)
{
if (result < 0)
{
/* Check if the error is unexpected. */
bool terminate = false;
int error_code = errno;
int family = get_address_family (fd);
if (family != AF_NETLINK)
/* If the address family does not match (or getsockname
failed), report the original error. */
terminate = true;
else if (error_code == EBADF
|| error_code == ENOTCONN
|| error_code == ENOTSOCK
|| error_code == ECONNREFUSED)
/* These errors indicate that the descriptor is not a
connected socket. */
terminate = true;
else if (error_code == EAGAIN || error_code == EWOULDBLOCK)
{
/* The kernel might return EAGAIN for other reasons than a
non-blocking socket. But if the socket is not blocking,
it is not ours, so report the error. */
int mode = __fcntl (fd, F_GETFL, 0);
if (mode < 0 || (mode & O_NONBLOCK) != 0)
terminate = true;
}
if (terminate)
{
char message[200];
if (family < 0)
__snprintf (message, sizeof (message),
"Unexpected error %d on netlink descriptor %d",
error_code, fd);
else
__snprintf (message, sizeof (message),
"Unexpected error %d on netlink descriptor %d"
" (address family %d)",
error_code, fd, family);
__libc_fatal (message);
}
else
/* Restore orignal errno value. */
__set_errno (error_code);
}
else if (result < sizeof (struct nlmsghdr))
{
char message[200];
int family = get_address_family (fd);
if (family < 0)
__snprintf (message, sizeof (message),
"Unexpected netlink response of size %zd"
" on descriptor %d",
result, fd);
else
__snprintf (message, sizeof (message),
"Unexpected netlink response of size %zd"
" on descriptor %d (address family %d)",
result, fd, family);
__libc_fatal (message);
}
}
libc_hidden_def (__netlink_assert_response)
6 changes: 6 additions & 0 deletions sysdeps/unix/sysv/linux/netlinkaccess.h
Expand Up @@ -19,6 +19,7 @@
#define _NETLINKACCESS_H 1

#include <stdint.h>
#include <sys/types.h>
#include <asm/types.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
Expand Down Expand Up @@ -48,5 +49,10 @@ extern void __netlink_close (struct netlink_handle *h);
extern void __netlink_free_handle (struct netlink_handle *h);
extern int __netlink_request (struct netlink_handle *h, int type);

/* Terminate the process if RESULT is an invalid recvmsg result for
the netlink socket FD. */
void __netlink_assert_response (int fd, ssize_t result)
internal_function;
libc_hidden_proto (__netlink_assert_response)

#endif /* netlinkaccess.h */

0 comments on commit 2eecc8a

Please sign in to comment.