lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 May 2014 16:00:52 +0100 From: Jim Baxter <jim_baxter@...tor.com> To: Eric Dumazet <eric.dumazet@...il.com> CC: David Laight <David.Laight@...LAB.COM>, 'Bjørn Mork' <bjorn@...k.no>, "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "David S. Miller" <davem@...emloft.net>, "kamal@...onical.com" <kamal@...onical.com>, "edumazet@...gle.com" <edumazet@...gle.com>, "mszeredi@...e.cz" <mszeredi@...e.cz>, "fw@...len.de" <fw@...len.de> Subject: Re: skbuff truesize incorrect. On 23/05/14 14:47, Eric Dumazet wrote: > On Fri, 2014-05-23 at 12:13 +0100, Jim Baxter wrote: > >> What are the side effects of changing the truesize, if the original >> uncloned skb has the full truesize then isn't the potential memory usage >> still counted for the avoidance of OOM? > > Nope. This can be disastrous. > > A malicious remote peer can crash your host by sending specially cooked > TCP messages. > > Send messages with one byte of payload, and out of order so that they > cant be consumed by receiver, and cant be coalesced/collapsed. > > If you claim the true size is sizeof(sk_buff) + 512, TCP stack will > accumulate these messages in out of order queue, and will not bother > with them, unless you hit sk_rcvbuf limit. > > But in reality these messages uses sizeof(sk_buff) + 32768 bytes. > > Divide your physical memory by 32768 : How many such messages will fit > in memory before the host crashes ? > > I've seen that kind of attacks in real cases. > > Even the fast clones sk_buff mismatch can be noticed. Luckily a 10% > error has no severe impact. > > TCP stack uses fast clones, and current stack gives them a truesize of > 2048 + sizeof(sk_buff), while it really should be 2048 + > 2*sizeof(sk_buff) > > Luckily, GSO/TSO tends to reduce the error, as skbs overhead is lower. > > Thank you for clarifying, that is useful to know. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists