| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Nov 2015 16:12:27 +0000 From: Rainer Weikusat <rweikusat@...ileactivedefense.com> To: Hannes Frederic Sowa <hannes@...essinduktion.org> Cc: Rainer Weikusat <rweikusat@...ileactivedefense.com>, Jason Baron <jbaron@...mai.com>, Dmitry Vyukov <dvyukov@...gle.com>, syzkaller <syzkaller@...glegroups.com>, Michal Kubecek <mkubecek@...e.cz>, Al Viro <viro@...iv.linux.org.uk>, linux-fsdevel@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>, David Miller <davem@...emloft.net>, David Howells <dhowells@...hat.com>, Paul Moore <paul@...l-moore.com>, salyzyn@...roid.com, sds@...ho.nsa.gov, ying.xue@...driver.com, netdev <netdev@...r.kernel.org>, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Andrey Konovalov <andreyknvl@...gle.com>, Sasha Levin <sasha.levin@...cle.com>, Julien Tinnes <jln@...gle.com>, Kees Cook <keescook@...gle.com>, Mathias Krause <minipli@...glemail.com> Subject: Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue Hannes Frederic Sowa <hannes@...essinduktion.org> writes: > On Tue, Nov 10, 2015, at 22:55, Rainer Weikusat wrote: >> An AF_UNIX datagram socket being the client in an n:1 association with >> some server socket is only allowed to send messages to the server if the >> receive queue of this socket contains at most sk_max_ack_backlog >> datagrams. [...] > This whole patch seems pretty complicated to me. > > Can't we just remove the unix_recvq_full checks alltogether and unify > unix_dgram_poll with unix_poll? > > If we want to be cautious we could simply make unix_max_dgram_qlen limit > the number of skbs which are in flight from a sending socket. The skb > destructor can then decrement this. This seems much simpler. > > Would this work? In the way this is intended to work, cf http://marc.info/?t=115627606000002&r=1&w=2 only if the limit would also apply to sockets which didn't sent anything so far. Which means it'll end up in the exact same situation as before: Sending something using a certain socket may not be possible because of data sent by other sockets, so either, code trying to send using this sockets ends up busy-waiting for "space again available" despite it's trying to use select/ poll/ epolll/ $whatnot to get notified of this condition and sleep until then or this notification needs to be propagated to sleeping threads which didn't get to send anything yet. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists