diff options
| author | Johannes Berg <[email protected]> | 2015-01-16 11:37:13 +0100 | 
|---|---|---|
| committer | David S. Miller <[email protected]> | 2015-01-16 17:04:24 -0500 | 
| commit | 5ad6300524c0332ac67e912c20d6e5cf262ba58f (patch) | |
| tree | 6070fdb74e9f4051dca1bf69fea06b39212f3c65 /lib/netdev-notifier-error-inject.c | |
| parent | f555f3d76aaade29c7e221a37ee64fe722955c09 (diff) | |
genetlink: disallow subscribing to unknown mcast groups
Jeff Layton reported that he could trigger the multicast unbind warning
in generic netlink using trinity. I originally thought it was a race
condition between unregistering the generic netlink family and closing
the socket, but there's a far simpler explanation: genetlink currently
allows subscribing to groups that don't (yet) exist, and the warning is
triggered when unsubscribing again while the group still doesn't exist.
Originally, I had a warning in the subscribe case and accepted it out of
userspace API concerns, but the warning was of course wrong and removed
later.
However, I now think that allowing userspace to subscribe to groups that
don't exist is wrong and could possibly become a security problem:
Consider a (new) genetlink family implementing a permission check in
the mcast_bind() function similar to the like the audit code does today;
it would be possible to bypass the permission check by guessing the ID
and subscribing to the group it exists. This is only possible in case a
family like that would be dynamically loaded, but it doesn't seem like a
huge stretch, for example wireless may be loaded when you plug in a USB
device.
To avoid this reject such subscription attempts.
If this ends up causing userspace issues we may need to add a workaround
in af_netlink to deny such requests but not return an error.
Reported-by: Jeff Layton <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'lib/netdev-notifier-error-inject.c')
0 files changed, 0 insertions, 0 deletions