lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 01 May 2008 02:43:20 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	johannes@...solutions.net
Cc:	mb@...sch.de, netdev@...r.kernel.org,
	linux-wireless@...r.kernel.org
Subject: Re: mac80211 truesize bugs

From: Johannes Berg <johannes@...solutions.net>
Date: Thu, 01 May 2008 11:32:29 +0200

> On Thu, 2008-05-01 at 02:20 -0700, David Miller wrote:
> > From: Johannes Berg <johannes@...solutions.net>
> > Date: Thu, 01 May 2008 11:08:06 +0200
> > 
> > > > Seems the skb->destructor messes it up.
> > > 
> > > Actually, it seems to be outside of mac80211, I put in a WARN_ON() and
> > > got this:
> > 
> > You're just seeing who freed it last here.
> > 
> > It could have had it's ->truesize put into an illegal state
> > elsewhere.
> 
> Yes, I know, but it doesn't come from my skb_orphan() call. Hence, I
> just netif_rx() the packet which makes it go onto the input_pkt_queue
> and then to netif_receive_skb() which gives it to af_packet and all
> others should ignore it since I set PACKET_OTHERHOST.

I looked at the mac80211 code, the problem is the skb_push() you
guys do in this situation.

Things like loopback, which also orphan then reinject, don't trigger
this problem because the re-input path trims things, never adds.

The good news is that this is easy to fix.

Since you've orphaned the SKB, simply adjust skb->truesize as you
do pushes.  Like this:

mac80211: Adjust truesize in ieee80211_tx_status() when reinjecting.

Signed-off-by: David S. Miller <davem@...emloft.net>

diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 9ad4e36..de2e904 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1485,6 +1485,9 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
 	rthdr = (struct ieee80211_tx_status_rtap_hdr*)
 				skb_push(skb, sizeof(*rthdr));
 
+	/* This is safe because the buffer has been orphaned.  */
+	skb->truesize += sizeof(*rthdr);
+
 	memset(rthdr, 0, sizeof(*rthdr));
 	rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr));
 	rthdr->hdr.it_present =

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ