diff options
author | Ralf Baechle <ralf@linux-mips.org> | 2005-08-23 13:11:45 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-08-23 13:11:45 -0400 |
commit | 01d7dd0e9f8c5f1888619d2649c7da389232b408 (patch) | |
tree | ee4f22a33557bae4883eb2f4fb1359e97ac74186 /net/ax25 | |
parent | 53b924b31fa53ac3007df3fef6870d5074a9adf8 (diff) |
[AX25]: UID fixes
o Brown paperbag bug - ax25_findbyuid() was always returning a NULL pointer
as the result. Breaks ROSE completly and AX.25 if UID policy set to deny.
o While the list structure of AX.25's UID to callsign mapping table was
properly protected by a spinlock, it's elements were not refcounted
resulting in a race between removal and usage of an element.
Signed-off-by: Ralf Baechle DL5RB <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ax25')
-rw-r--r-- | net/ax25/af_ax25.c | 20 | ||||
-rw-r--r-- | net/ax25/ax25_route.c | 12 | ||||
-rw-r--r-- | net/ax25/ax25_uid.c | 83 |
3 files changed, 55 insertions, 60 deletions
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 7d8ecadba66..a5c94f11547 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c | |||
@@ -1002,7 +1002,8 @@ static int ax25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) | |||
1002 | struct sock *sk = sock->sk; | 1002 | struct sock *sk = sock->sk; |
1003 | struct full_sockaddr_ax25 *addr = (struct full_sockaddr_ax25 *)uaddr; | 1003 | struct full_sockaddr_ax25 *addr = (struct full_sockaddr_ax25 *)uaddr; |
1004 | ax25_dev *ax25_dev = NULL; | 1004 | ax25_dev *ax25_dev = NULL; |
1005 | ax25_address *call; | 1005 | ax25_uid_assoc *user; |
1006 | ax25_address call; | ||
1006 | ax25_cb *ax25; | 1007 | ax25_cb *ax25; |
1007 | int err = 0; | 1008 | int err = 0; |
1008 | 1009 | ||
@@ -1021,9 +1022,15 @@ static int ax25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) | |||
1021 | if (addr->fsa_ax25.sax25_family != AF_AX25) | 1022 | if (addr->fsa_ax25.sax25_family != AF_AX25) |
1022 | return -EINVAL; | 1023 | return -EINVAL; |
1023 | 1024 | ||
1024 | call = ax25_findbyuid(current->euid); | 1025 | user = ax25_findbyuid(current->euid); |
1025 | if (call == NULL && ax25_uid_policy && !capable(CAP_NET_ADMIN)) { | 1026 | if (user) { |
1026 | return -EACCES; | 1027 | call = user->call; |
1028 | ax25_uid_put(user); | ||
1029 | } else { | ||
1030 | if (ax25_uid_policy && !capable(CAP_NET_ADMIN)) | ||
1031 | return -EACCES; | ||
1032 | |||
1033 | call = addr->fsa_ax25.sax25_call; | ||
1027 | } | 1034 | } |
1028 | 1035 | ||
1029 | lock_sock(sk); | 1036 | lock_sock(sk); |
@@ -1034,10 +1041,7 @@ static int ax25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) | |||
1034 | goto out; | 1041 | goto out; |
1035 | } | 1042 | } |
1036 | 1043 | ||
1037 | if (call == NULL) | 1044 | ax25->source_addr = call; |
1038 | ax25->source_addr = addr->fsa_ax25.sax25_call; | ||
1039 | else | ||
1040 | ax25->source_addr = *call; | ||
1041 | 1045 | ||
1042 | /* | 1046 | /* |
1043 | * User already set interface with SO_BINDTODEVICE | 1047 | * User already set interface with SO_BINDTODEVICE |
diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c index 44b99b1ff9f..c288526da4c 100644 --- a/net/ax25/ax25_route.c +++ b/net/ax25/ax25_route.c | |||
@@ -422,8 +422,8 @@ static inline void ax25_adjust_path(ax25_address *addr, ax25_digi *digipeat) | |||
422 | */ | 422 | */ |
423 | int ax25_rt_autobind(ax25_cb *ax25, ax25_address *addr) | 423 | int ax25_rt_autobind(ax25_cb *ax25, ax25_address *addr) |
424 | { | 424 | { |
425 | ax25_uid_assoc *user; | ||
425 | ax25_route *ax25_rt; | 426 | ax25_route *ax25_rt; |
426 | ax25_address *call; | ||
427 | int err; | 427 | int err; |
428 | 428 | ||
429 | if ((ax25_rt = ax25_get_route(addr, NULL)) == NULL) | 429 | if ((ax25_rt = ax25_get_route(addr, NULL)) == NULL) |
@@ -434,16 +434,18 @@ int ax25_rt_autobind(ax25_cb *ax25, ax25_address *addr) | |||
434 | goto put; | 434 | goto put; |
435 | } | 435 | } |
436 | 436 | ||
437 | if ((call = ax25_findbyuid(current->euid)) == NULL) { | 437 | user = ax25_findbyuid(current->euid); |
438 | if (user) { | ||
439 | ax25->source_addr = user->call; | ||
440 | ax25_uid_put(user); | ||
441 | } else { | ||
438 | if (ax25_uid_policy && !capable(CAP_NET_BIND_SERVICE)) { | 442 | if (ax25_uid_policy && !capable(CAP_NET_BIND_SERVICE)) { |
439 | err = -EPERM; | 443 | err = -EPERM; |
440 | goto put; | 444 | goto put; |
441 | } | 445 | } |
442 | call = (ax25_address *)ax25->ax25_dev->dev->dev_addr; | 446 | ax25->source_addr = *(ax25_address *)ax25->ax25_dev->dev->dev_addr; |
443 | } | 447 | } |
444 | 448 | ||
445 | ax25->source_addr = *call; | ||
446 | |||
447 | if (ax25_rt->digipeat != NULL) { | 449 | if (ax25_rt->digipeat != NULL) { |
448 | if ((ax25->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { | 450 | if ((ax25->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) { |
449 | err = -ENOMEM; | 451 | err = -ENOMEM; |
diff --git a/net/ax25/ax25_uid.c b/net/ax25/ax25_uid.c index cea6b7d1972..a8b3822f3ee 100644 --- a/net/ax25/ax25_uid.c +++ b/net/ax25/ax25_uid.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include <linux/fcntl.h> | 28 | #include <linux/fcntl.h> |
29 | #include <linux/mm.h> | 29 | #include <linux/mm.h> |
30 | #include <linux/interrupt.h> | 30 | #include <linux/interrupt.h> |
31 | #include <linux/list.h> | ||
31 | #include <linux/notifier.h> | 32 | #include <linux/notifier.h> |
32 | #include <linux/proc_fs.h> | 33 | #include <linux/proc_fs.h> |
33 | #include <linux/seq_file.h> | 34 | #include <linux/seq_file.h> |
@@ -41,38 +42,41 @@ | |||
41 | * Callsign/UID mapper. This is in kernel space for security on multi-amateur machines. | 42 | * Callsign/UID mapper. This is in kernel space for security on multi-amateur machines. |
42 | */ | 43 | */ |
43 | 44 | ||
44 | static ax25_uid_assoc *ax25_uid_list; | 45 | HLIST_HEAD(ax25_uid_list); |
45 | static DEFINE_RWLOCK(ax25_uid_lock); | 46 | static DEFINE_RWLOCK(ax25_uid_lock); |
46 | 47 | ||
47 | int ax25_uid_policy = 0; | 48 | int ax25_uid_policy = 0; |
48 | 49 | ||
49 | ax25_address *ax25_findbyuid(uid_t uid) | 50 | ax25_uid_assoc *ax25_findbyuid(uid_t uid) |
50 | { | 51 | { |
51 | ax25_uid_assoc *ax25_uid; | 52 | ax25_uid_assoc *ax25_uid, *res = NULL; |
52 | ax25_address *res = NULL; | 53 | struct hlist_node *node; |
53 | 54 | ||
54 | read_lock(&ax25_uid_lock); | 55 | read_lock(&ax25_uid_lock); |
55 | for (ax25_uid = ax25_uid_list; ax25_uid != NULL; ax25_uid = ax25_uid->next) { | 56 | ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) { |
56 | if (ax25_uid->uid == uid) { | 57 | if (ax25_uid->uid == uid) { |
57 | res = &ax25_uid->call; | 58 | ax25_uid_hold(ax25_uid); |
59 | res = ax25_uid; | ||
58 | break; | 60 | break; |
59 | } | 61 | } |
60 | } | 62 | } |
61 | read_unlock(&ax25_uid_lock); | 63 | read_unlock(&ax25_uid_lock); |
62 | 64 | ||
63 | return NULL; | 65 | return res; |
64 | } | 66 | } |
65 | 67 | ||
66 | int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) | 68 | int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) |
67 | { | 69 | { |
68 | ax25_uid_assoc *s, *ax25_uid; | 70 | ax25_uid_assoc *ax25_uid; |
71 | struct hlist_node *node; | ||
72 | ax25_uid_assoc *user; | ||
69 | unsigned long res; | 73 | unsigned long res; |
70 | 74 | ||
71 | switch (cmd) { | 75 | switch (cmd) { |
72 | case SIOCAX25GETUID: | 76 | case SIOCAX25GETUID: |
73 | res = -ENOENT; | 77 | res = -ENOENT; |
74 | read_lock(&ax25_uid_lock); | 78 | read_lock(&ax25_uid_lock); |
75 | for (ax25_uid = ax25_uid_list; ax25_uid != NULL; ax25_uid = ax25_uid->next) { | 79 | ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) { |
76 | if (ax25cmp(&sax->sax25_call, &ax25_uid->call) == 0) { | 80 | if (ax25cmp(&sax->sax25_call, &ax25_uid->call) == 0) { |
77 | res = ax25_uid->uid; | 81 | res = ax25_uid->uid; |
78 | break; | 82 | break; |
@@ -85,19 +89,22 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) | |||
85 | case SIOCAX25ADDUID: | 89 | case SIOCAX25ADDUID: |
86 | if (!capable(CAP_NET_ADMIN)) | 90 | if (!capable(CAP_NET_ADMIN)) |
87 | return -EPERM; | 91 | return -EPERM; |
88 | if (ax25_findbyuid(sax->sax25_uid)) | 92 | user = ax25_findbyuid(sax->sax25_uid); |
93 | if (user) { | ||
94 | ax25_uid_put(user); | ||
89 | return -EEXIST; | 95 | return -EEXIST; |
96 | } | ||
90 | if (sax->sax25_uid == 0) | 97 | if (sax->sax25_uid == 0) |
91 | return -EINVAL; | 98 | return -EINVAL; |
92 | if ((ax25_uid = kmalloc(sizeof(*ax25_uid), GFP_KERNEL)) == NULL) | 99 | if ((ax25_uid = kmalloc(sizeof(*ax25_uid), GFP_KERNEL)) == NULL) |
93 | return -ENOMEM; | 100 | return -ENOMEM; |
94 | 101 | ||
102 | atomic_set(&ax25_uid->refcount, 1); | ||
95 | ax25_uid->uid = sax->sax25_uid; | 103 | ax25_uid->uid = sax->sax25_uid; |
96 | ax25_uid->call = sax->sax25_call; | 104 | ax25_uid->call = sax->sax25_call; |
97 | 105 | ||
98 | write_lock(&ax25_uid_lock); | 106 | write_lock(&ax25_uid_lock); |
99 | ax25_uid->next = ax25_uid_list; | 107 | hlist_add_head(&ax25_uid->uid_node, &ax25_uid_list); |
100 | ax25_uid_list = ax25_uid; | ||
101 | write_unlock(&ax25_uid_lock); | 108 | write_unlock(&ax25_uid_lock); |
102 | 109 | ||
103 | return 0; | 110 | return 0; |
@@ -106,34 +113,21 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) | |||
106 | if (!capable(CAP_NET_ADMIN)) | 113 | if (!capable(CAP_NET_ADMIN)) |
107 | return -EPERM; | 114 | return -EPERM; |
108 | 115 | ||
116 | ax25_uid = NULL; | ||
109 | write_lock(&ax25_uid_lock); | 117 | write_lock(&ax25_uid_lock); |
110 | for (ax25_uid = ax25_uid_list; ax25_uid != NULL; ax25_uid = ax25_uid->next) { | 118 | ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) { |
111 | if (ax25cmp(&sax->sax25_call, &ax25_uid->call) == 0) { | 119 | if (ax25cmp(&sax->sax25_call, &ax25_uid->call) == 0) |
112 | break; | 120 | break; |
113 | } | ||
114 | } | 121 | } |
115 | if (ax25_uid == NULL) { | 122 | if (ax25_uid == NULL) { |
116 | write_unlock(&ax25_uid_lock); | 123 | write_unlock(&ax25_uid_lock); |
117 | return -ENOENT; | 124 | return -ENOENT; |
118 | } | 125 | } |
119 | if ((s = ax25_uid_list) == ax25_uid) { | 126 | hlist_del_init(&ax25_uid->uid_node); |
120 | ax25_uid_list = s->next; | 127 | ax25_uid_put(ax25_uid); |
121 | write_unlock(&ax25_uid_lock); | ||
122 | kfree(ax25_uid); | ||
123 | return 0; | ||
124 | } | ||
125 | while (s != NULL && s->next != NULL) { | ||
126 | if (s->next == ax25_uid) { | ||
127 | s->next = ax25_uid->next; | ||
128 | write_unlock(&ax25_uid_lock); | ||
129 | kfree(ax25_uid); | ||
130 | return 0; | ||
131 | } | ||
132 | s = s->next; | ||
133 | } | ||
134 | write_unlock(&ax25_uid_lock); | 128 | write_unlock(&ax25_uid_lock); |
135 | 129 | ||
136 | return -ENOENT; | 130 | return 0; |
137 | 131 | ||
138 | default: | 132 | default: |
139 | return -EINVAL; | 133 | return -EINVAL; |
@@ -147,13 +141,11 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax) | |||
147 | static void *ax25_uid_seq_start(struct seq_file *seq, loff_t *pos) | 141 | static void *ax25_uid_seq_start(struct seq_file *seq, loff_t *pos) |
148 | { | 142 | { |
149 | struct ax25_uid_assoc *pt; | 143 | struct ax25_uid_assoc *pt; |
150 | int i = 1; | 144 | struct hlist_node *node; |
145 | int i = 0; | ||
151 | 146 | ||
152 | read_lock(&ax25_uid_lock); | 147 | read_lock(&ax25_uid_lock); |
153 | if (*pos == 0) | 148 | ax25_uid_for_each(pt, node, &ax25_uid_list) { |
154 | return SEQ_START_TOKEN; | ||
155 | |||
156 | for (pt = ax25_uid_list; pt != NULL; pt = pt->next) { | ||
157 | if (i == *pos) | 149 | if (i == *pos) |
158 | return pt; | 150 | return pt; |
159 | ++i; | 151 | ++i; |
@@ -164,8 +156,9 @@ static void *ax25_uid_seq_start(struct seq_file *seq, loff_t *pos) | |||
164 | static void *ax25_uid_seq_next(struct seq_file *seq, void *v, loff_t *pos) | 156 | static void *ax25_uid_seq_next(struct seq_file *seq, void *v, loff_t *pos) |
165 | { | 157 | { |
166 | ++*pos; | 158 | ++*pos; |
167 | return (v == SEQ_START_TOKEN) ? ax25_uid_list : | 159 | |
168 | ((struct ax25_uid_assoc *) v)->next; | 160 | return hlist_entry(((ax25_uid_assoc *)v)->uid_node.next, |
161 | ax25_uid_assoc, uid_node); | ||
169 | } | 162 | } |
170 | 163 | ||
171 | static void ax25_uid_seq_stop(struct seq_file *seq, void *v) | 164 | static void ax25_uid_seq_stop(struct seq_file *seq, void *v) |
@@ -179,7 +172,6 @@ static int ax25_uid_seq_show(struct seq_file *seq, void *v) | |||
179 | seq_printf(seq, "Policy: %d\n", ax25_uid_policy); | 172 | seq_printf(seq, "Policy: %d\n", ax25_uid_policy); |
180 | else { | 173 | else { |
181 | struct ax25_uid_assoc *pt = v; | 174 | struct ax25_uid_assoc *pt = v; |
182 | |||
183 | 175 | ||
184 | seq_printf(seq, "%6d %s\n", pt->uid, ax2asc(&pt->call)); | 176 | seq_printf(seq, "%6d %s\n", pt->uid, ax2asc(&pt->call)); |
185 | } | 177 | } |
@@ -213,16 +205,13 @@ struct file_operations ax25_uid_fops = { | |||
213 | */ | 205 | */ |
214 | void __exit ax25_uid_free(void) | 206 | void __exit ax25_uid_free(void) |
215 | { | 207 | { |
216 | ax25_uid_assoc *s, *ax25_uid; | 208 | ax25_uid_assoc *ax25_uid; |
209 | struct hlist_node *node; | ||
217 | 210 | ||
218 | write_lock(&ax25_uid_lock); | 211 | write_lock(&ax25_uid_lock); |
219 | ax25_uid = ax25_uid_list; | 212 | ax25_uid_for_each(ax25_uid, node, &ax25_uid_list) { |
220 | while (ax25_uid != NULL) { | 213 | hlist_del_init(&ax25_uid->uid_node); |
221 | s = ax25_uid; | 214 | ax25_uid_put(ax25_uid); |
222 | ax25_uid = ax25_uid->next; | ||
223 | |||
224 | kfree(s); | ||
225 | } | 215 | } |
226 | ax25_uid_list = NULL; | ||
227 | write_unlock(&ax25_uid_lock); | 216 | write_unlock(&ax25_uid_lock); |
228 | } | 217 | } |