| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Mar 2008 16:48:20 -0700 (PDT) From: David Miller <davem@...emloft.net> To: haoki@...hat.com Cc: netdev@...r.kernel.org, herbert@...dor.apana.org.au Subject: Re: [RFC] [NET] [0/2] pskb_expand_head() bugfix From: Hideo AOKI <haoki@...hat.com> Date: Tue, 25 Mar 2008 14:39:04 -0400 > Current pskb_expand_head() doesn't change truesize, while it > reallocates memory. Then, if argument nhead or ntail aren't 0, caller > must update truesize. > > We had this bug at audit_expand() in January and fixed it as commit > 406a1d868001423c85a3165288e566e65f424fe6. However, some drivers and > subsystems still use pskb_expand_head() without updating truesize. > > In addition, there is another problem to update truesise. Since > pskb_expand_head() aligns memory size before reallocation, caller > functions may not update turesize correctly if they just add nhaad > and ntail to turesize. Drivers may not update truesize, because as I explained in Tokyo a fundamental issue is the case where SKB is charged already to a socket. In such a case, skb->truesize may not be modified without corrupting socket write queue allocation state. And at these very spots in drivers, the transmit path, the SKB is very likely to be owned by a socket. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists