| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Oct 2015 06:36:19 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Rainer Weikusat <rweikusat@...ileactivedefense.com> Cc: David Miller <davem@...emloft.net>, jbaron@...mai.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, minipli@...glemail.com, normalperson@...t.net, viro@...iv.linux.org.uk, davidel@...ilserver.org, dave@...olabs.net, olivier@...ras.ch, pageexec@...email.hu, torvalds@...ux-foundation.org, peterz@...radead.org, joe@...ches.com Subject: Re: [PATCH v4 0/3] net: unix: fix use-after-free On Mon, 2015-10-12 at 13:54 +0100, Rainer Weikusat wrote: > David Miller <davem@...emloft.net> writes: > > From: Jason Baron <jbaron@...mai.com> > > Date: Fri, 9 Oct 2015 00:15:59 -0400 > > > >> These patches are against mainline, I can re-base to net-next, please > >> let me know. > >> > >> They have been tested against: https://lkml.org/lkml/2015/9/13/195, > >> which causes the use-after-free quite quickly and here: > >> https://lkml.org/lkml/2015/10/2/693. > > > > I'd like to understand how patches that don't even compile can be > > "tested"? > > > > net/unix/af_unix.c: In function ‘unix_dgram_writable’: > > net/unix/af_unix.c:2480:3: error: ‘other_full’ undeclared (first use in this function) > > net/unix/af_unix.c:2480:3: note: each undeclared identifier is reported only once for each function it appears in > > > > Could you explain how that works, I'm having a hard time understanding > > this? > > This is basicallly a workaround for the problem that it's not possible > to tell epoll to let go of a certain wait queue: Instead of registering > the peer_wait queue via sock_poll_wait, a wait_queue_t under control of > the af_unix.c code is linked onto it which relays a wake up on the > peer_wait queue to the 'ordinary' wait queue associated with the polled > socket via custom wake function. But (at least the code I looked it) it > enqueues a unix socket on connect which has certain side effects (in > particular, /dev/log will have a seriously large wait queue of entirely > uninterested peers) and in many cases, this is simply not necessary, as > the additional peer_wait event is only interesting in case a peer of a > fan-in socket (like /dev/log) happens to be waiting for writeabilty via > poll/ select/ epoll/ ... > > Since the wait queue handling code is now under control of the af_unix.c > code, it can remove itself from the peer_wait queue prior to dropping > its reference to a peer on disconnect or on detecting a dead peer in > unix_dgram_sendmsg. > -- Okay, but David was asking how the patch was supposed to be tested, and applied, if it does not compile. A patch is not only showing the idea, but must be ready for inclusion. Please ? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists