lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 23 May 2014 16:00:52 +0100
From:	Jim Baxter <jim_baxter@...tor.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	David Laight <David.Laight@...LAB.COM>,
	'Bjørn Mork' <bjorn@...k.no>,
	"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"David S. Miller" <davem@...emloft.net>,
	"kamal@...onical.com" <kamal@...onical.com>,
	"edumazet@...gle.com" <edumazet@...gle.com>,
	"mszeredi@...e.cz" <mszeredi@...e.cz>,
	"fw@...len.de" <fw@...len.de>
Subject: Re: skbuff truesize incorrect.

On 23/05/14 14:47, Eric Dumazet wrote:
> On Fri, 2014-05-23 at 12:13 +0100, Jim Baxter wrote:
> 
>> What are the side effects of changing the truesize, if the original
>> uncloned skb has the full truesize then isn't the potential memory usage
>> still counted for the avoidance of OOM?
> 
> Nope. This can be disastrous.
> 
> A malicious remote peer can crash your host by sending specially cooked
> TCP messages.
> 
> Send messages with one byte of payload, and out of order so that they
> cant be consumed by receiver, and cant be coalesced/collapsed.
> 
> If you claim the true size is sizeof(sk_buff) + 512, TCP stack will
> accumulate these messages in out of order queue, and will not bother
> with them, unless you hit sk_rcvbuf limit.
> 
> But in reality these messages uses sizeof(sk_buff) + 32768 bytes.
> 
> Divide your physical memory by 32768 : How many such messages will fit
> in memory before the host crashes ?
> 
> I've seen that kind of attacks in real cases.
> 
> Even the fast clones sk_buff mismatch can be noticed. Luckily a 10%
> error has no severe impact.
> 
> TCP stack uses fast clones, and current stack gives them a truesize of
> 2048 + sizeof(sk_buff), while it really should be 2048 +
> 2*sizeof(sk_buff)
> 
> Luckily, GSO/TSO tends to reduce the error, as skbs overhead is lower.
> 
> 

Thank you for clarifying, that is useful to know.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists