lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Aug 2010 16:48:07 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Johannes Berg <johannes@...solutions.net> Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [PATCH net-next-2.6] netlink: netlink_recvmsg() fix Le vendredi 13 août 2010 à 16:35 +0200, Johannes Berg a écrit : > On Fri, 2010-08-13 at 16:00 +0200, Johannes Berg wrote: > > On Sun, 2010-07-25 at 21:55 -0700, David Miller wrote: > > > From: Eric Dumazet <eric.dumazet@...il.com> > > > Date: Wed, 21 Jul 2010 10:43:55 +0200 > > > > > > > [PATCH net-next-2.6 v3] netlink: netlink_recvmsg() fix > > > > > > > > commit 1dacc76d0014 > > > > (net/compat/wext: send different messages to compat tasks) > > > > introduced a race condition on netlink, in case MSG_PEEK is used. > > > > > > > > An skb given by skb_recv_datagram() might be shared, we must copy it > > > > before any modification, or risk fatal corruption. > > > > > > > > Signed-off-by: Eric Dumazet <eric.dumazet@...il.com> > > > > > > Applied, thanks Eric. > > > > I keep getting errors like below in 2.6.35+wireless-testing. Not saying > > that it's this patch's fault, but it is the only thing I remember > > touching that area. > > In fact, I think something's wrong with this patch, since my comment > (that right now unfortunately I no longer fully understand) says: > > * If this skb has a frag_list, then here that means that > * we will have to use the frag_list skb for compat tasks > * and the regular skb for non-compat tasks. > * > * The skb might (and likely will) be cloned, so we can't > * just reset frag_list and go on with things -- we need to > * keep that. For the compat case that's easy -- simply get > * a reference to the compat skb and free the regular one > * including the frag. For the non-compat case, we need to > * avoid sending the frag to the user -- so assign NULL but > * restore it below before freeing the skb. > > and that's no longer true, afaict. > Comment was not updated by the patch. But do you agree temporarly setting frag_list to NULL was a bug ? Unfortunatly I cannot test this path... I assume reverting 1235f504aaba removes these errors ? Its strange we have a double-free on a data part and not a skb_head. maybe pskb_copy() has a problem with frag_list... Maybe we can revert the patch and find another way to make sure two process can not manipulate this skb in // (adding a mutex, or using RTNL ?) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists