• Daniel Borkmann's avatar
    packet: tpacket_v3: do not trigger bug() on wrong header status · 8da3056c
    Daniel Borkmann authored
    Jakub reported that it is fairly easy to trigger the BUG() macro
    from user space with TPACKET_V3's RX_RING by just giving a wrong
    header status flag. We already had a similar situation in commit
    7f5c3e3a
    
     (``af_packet: remove BUG statement in
    tpacket_destruct_skb'') where this was the case in the TX_RING
    side that could be triggered from user space. So really, don't use
    BUG() or BUG_ON() unless there's really no way out, and i.e.
    don't use it for consistency checking when there's user space
    involved, no excuses, especially not if you're slapping the user
    with WARN + dump_stack + BUG all at once. The two functions are
    of concern:
    
      prb_retire_current_block() [when block status != TP_STATUS_KERNEL]
      prb_open_block() [when block_status != TP_STATUS_KERNEL]
    
    Calls to prb_open_block() are guarded by ealier checks if block_status
    is really TP_STATUS_KERNEL (racy!), but the first one BUG() is easily
    triggable from user space. System behaves still stable after they are
    removed. Also remove that yoda condition entirely, since it's already
    guarded.
    Reported-by: default avatarJakub Zawadzki <darkjames-ws@darkjames.pl>
    Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    8da3056c
af_packet.c 91 KB