| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 May 2011 12:30:43 -0500 (CDT) From: Christoph Lameter <cl@...ux.com> To: Eric Dumazet <eric.dumazet@...il.com> cc: Vegard Nossum <vegardno@....uio.no>, Pekka Enberg <penberg@...helsinki.fi>, casteyde.christian@...e.fr, Andrew Morton <akpm@...ux-foundation.org>, netdev@...r.kernel.org, bugzilla-daemon@...zilla.kernel.org, bugme-daemon@...zilla.kernel.org Subject: Re: [Bugme-new] [Bug 33502] New: Caught 64-bit read from uninitialized memory in __alloc_skb On Tue, 10 May 2011, Eric Dumazet wrote: > Le mardi 10 mai 2011 à 11:39 -0500, Christoph Lameter a écrit : > > > #ifdef CONFIG_DEBUG_PAGE_ALLOC > > if (illegal_page_alloc-address(object)) > > goto redo; > > #endif > > > > before the cmpxchg should do the trick. > > > > Again, it wont work... > > You can have an IRQ right after the check and before cmpxchg Ok guess then we also need to disable irq if CONFIG_PAGE_ALLOC is set? The cmpxchg is not the problem. The problem is the following expression which retrieves the pointer to the next available object from the object on the page: get_freepointer(s, object) In the CONFIG_PAGE_ALLOC case we could disable interrupts, then do the check, then fetch the pointer and then reenable interrupts. All of this can occur before the cmpxchg. > This interrupt can allocate this block of memory, free it, and unmap > page from memory. > > cmpxchg() reads unmapped memory -> BUG The cmpxchg is not accessing any memory on the page.
Powered by blists - more mailing lists