| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Sep 2017 10:34:33 -0700 (PDT) From: David Miller <davem@...emloft.net> To: cpaasch@...le.com Cc: netdev@...r.kernel.org Subject: Re: [PATCH net] net: Set sk_prot_creator when cloning sockets to the right proto From: Christoph Paasch <cpaasch@...le.com> Date: Tue, 26 Sep 2017 17:38:50 -0700 > sk->sk_prot and sk->sk_prot_creator can differ when the app uses > IPV6_ADDRFORM (transforming an IPv6-socket to an IPv4-one). > Which is why sk_prot_creator is there to make sure that sk_prot_free() > does the kmem_cache_free() on the right kmem_cache slab. > > Now, if such a socket gets transformed back to a listening socket (using > connect() with AF_UNSPEC) we will allocate an IPv4 tcp_sock through > sk_clone_lock() when a new connection comes in. But sk_prot_creator will > still point to the IPv6 kmem_cache (as everything got copied in > sk_clone_lock()). When freeing, we will thus put this > memory back into the IPv6 kmem_cache although it was allocated in the > IPv4 cache. I have seen memory corruption happening because of this. > > With slub-debugging and MEMCG_KMEM enabled this gives the warning > "cache_from_obj: Wrong slab cache. TCPv6 but object is from TCP" > > A C-program to trigger this: ... > As far as I can see, this bug has been there since the beginning of the > git-days. > > Signed-off-by: Christoph Paasch <cpaasch@...le.com> Applied and queued up for -stable, thanks.
Powered by blists - more mailing lists