lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20171227193307.929591859@goodmis.org>
Date:   Wed, 27 Dec 2017 14:33:07 -0500
From:   Steven Rostedt <rostedt@...dmis.org>
To:     linux-kernel@...r.kernel.org
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Ingo Molnar <mingo@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH 0/5] [GIT PULL] tracing: Bug fixes for 4.15 and earlier


Linus,

While doing tests on tracing over the network, I found that the packets
were getting corrupted. In the process I found three bugs. One was the
culprit, but the other two scared me. After deeper investigation, they
were not as major as I thought they were, due to a signed compared to
an unsigned that prevented a negative number from doing actual harm.

The two bigger bugs:

 - Mask the ring buffer data page length. There are data flags at the
   high bits of the length field. These were not cleared via the
   length function, and the length could return a negative number.
   (Although the number returned was unsigned, but was assigned to a
   signed number) Luckily, this value was compared to PAGE_SIZE which is
   unsigned and kept it from entering the path that could have caused damage.

 - Check the page usage before reusing the ring buffer reader page.
   TCP increments the page ref when passing the page off to the network.
   The page is passed back to the ring buffer for use on free. But
   the page could still be in use by the TCP stack.

Minor bugs:

 - Related to the first bug. No need to clear out the unused ring buffer
   data before sending to user space. It is now done by the ring buffer
   code itself.

 - Reset pointers after free on error path. There were some cases in
   the error path that pointers were freed but not set to NULL, and could
   have them freed again, having a pointer freed twice.

Please pull the latest trace-v4.15-rc4 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git
trace-v4.15-rc4

Tag SHA1: bd8e15502dea4c62617f963e512652dbf566a811
Head SHA1: 4397f04575c44e1440ec2e49b6302785c95fd2f8


Jing Xia (1):
      tracing: Fix crash when it fails to alloc ring buffer

Steven Rostedt (VMware) (4):
      ring-buffer: Mask out the info bits when returning buffer page length
      tracing: Remove extra zeroing out of the ring buffer page
      ring-buffer: Do no reuse reader page if still in use
      tracing: Fix possible double free on failure of allocating trace buffer

----
 kernel/trace/ring_buffer.c | 12 +++++++++++-
 kernel/trace/trace.c       | 13 ++++---------
 2 files changed, 15 insertions(+), 10 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ