| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170710121002.GB21587@oracle.com>
Date: Mon, 10 Jul 2017 08:10:02 -0400
From: Sowmini Varadhan <sowmini.varadhan@...cle.com>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: David Miller <davem@...emloft.net>, torvalds@...ux-foundation.org,
akpm@...ux-foundation.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [GIT] Networking
On (07/10/17 18:05), Herbert Xu wrote:
>
> Hmm, I can't see the problem in af_alg_accept. The struct socket
> comes directly from sys_accept() which creates it using sock_alloc.
>
> So the only thing I can think of is that the memory returned by
> sock_alloc is not zeroed and therefore the WARN_ON is just reading
> garbage.
Then it is odd that this WARN_ON is not triggered for other sockets
(e.g., for TCP sockets), though it happens easily with AF_ALG.
But it's not sock_alloc() - that function is returning a properly
zeroed ->sk.
The reason that the WARN_ON is triggered is that af_alg_accept() calls
sock_init_data() which does
2636 if (sock) {
:
2639 sock->sk = sk;
So we can do one of the following:
1. drop the WARN_ON(), which makes true leaks hard to detect
2. change the WARN_ON() to WARN_ON(parent->sk && parent->sk != sk)
#2 assumes that all the refcount book-keeping is being done
correctly (there is the danger that we end up taking 2 refs on the sk)
--Sowmini
Powered by blists - more mailing lists