lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 09 Jul 2012 08:16:51 +0800 From: Gao feng <gaofeng@...fujitsu.com> To: Eric Dumazet <eric.dumazet@...il.com> CC: nhorman@...driver.com, davem@...emloft.net, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, tj@...nel.org, lizefan@...wei.com Subject: Re: [PATCH v2] cgroup: fix panic in netprio_cgroup 于 2012年07月09日 03:50, Eric Dumazet 写道: > On Thu, 2012-07-05 at 17:28 +0800, Gao feng wrote: >> we set max_prioidx to the first zero bit index of prioidx_map in >> function get_prioidx. >> >> So when we delete the low index netprio cgroup and adding a new >> netprio cgroup again,the max_prioidx will be set to the low index. >> >> when we set the high index cgroup's net_prio.ifpriomap,the function >> write_priomap will call update_netdev_tables to alloc memory which >> size is sizeof(struct netprio_map) + sizeof(u32) * (max_prioidx + 1), >> so the size of array that map->priomap point to is max_prioidx +1, >> which is low than what we actually need. >> >> fix this by adding check in get_prioidx,only set max_prioidx when >> max_prioidx low than the new prioidx. >> >> Signed-off-by: Gao feng <gaofeng@...fujitsu.com> >> --- >> net/core/netprio_cgroup.c | 3 ++- >> 1 files changed, 2 insertions(+), 1 deletions(-) >> >> diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c >> index 5b8aa2f..aa907ed 100644 >> --- a/net/core/netprio_cgroup.c >> +++ b/net/core/netprio_cgroup.c >> @@ -49,8 +49,9 @@ static int get_prioidx(u32 *prio) >> return -ENOSPC; >> } >> set_bit(prioidx, prioidx_map); >> + if (atomic_read(&max_prioidx) < prioidx) >> + atomic_set(&max_prioidx, prioidx); >> spin_unlock_irqrestore(&prioidx_map_lock, flags); >> - atomic_set(&max_prioidx, prioidx); >> *prio = prioidx; >> return 0; >> } > > This patch seems fine to me. > > Acked-by: Eric Dumazet <edumazet@...gle.com> > > Neil, looking at this file, I believe something is wrong. > > dev->priomap is allocated by extend_netdev_table() called from > update_netdev_tables(). And this is only called if write_priomap() is > called. > > But if write_priomap() is not called, it seems we can have out of bounds > accesses in cgrp_destroy() and read_priomap() Agree,and the function skb_update_prio has the same problem. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists