| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Jan 2017 12:03:44 -0500 (EST) From: David Miller <davem@...emloft.net> To: eric.dumazet@...il.com Cc: netdev@...r.kernel.org, slavash@...lanox.com Subject: Re: [PATCH v2 net-next] net: adjust skb->truesize in pskb_expand_head() From: Eric Dumazet <eric.dumazet@...il.com> Date: Fri, 27 Jan 2017 07:11:27 -0800 > From: Eric Dumazet <edumazet@...gle.com> > > Slava Shwartsman reported a warning in skb_try_coalesce(), when we > detect skb->truesize is completely wrong. > > In his case, issue came from IPv6 reassembly coping with malicious > datagrams, that forced various pskb_may_pull() to reallocate a bigger > skb->head than the one allocated by NIC driver before entering GRO > layer. > > Current code does not change skb->truesize, leaving this burden to > callers if they care enough. > > Blindly changing skb->truesize in pskb_expand_head() is not > easy, as some producers might track skb->truesize, for example > in xmit path for back pressure feedback (sk->sk_wmem_alloc) > > We can detect the cases where it should be safe to change > skb->truesize : > > 1) skb is not attached to a socket. > 2) If it is attached to a socket, destructor is sock_edemux() > > My audit gave only two callers doing their own skb->truesize > manipulation. > > I had to remove skb parameter in sock_edemux macro when > CONFIG_INET is not set to avoid a compile error. > > Signed-off-by: Eric Dumazet <edumazet@...gle.com> > Reported-by: Slava Shwartsman <slavash@...lanox.com> Looks good, applied, thanks Eric.
Powered by blists - more mailing lists