| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190825.194811.1923451232916556610.davem@davemloft.net>
Date: Sun, 25 Aug 2019 19:48:11 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: loyou85@...il.com
Cc: edumazet@...gle.com, dsterba@...e.com, dbanerje@...mai.com,
fw@...len.de, davej@...emonkey.org.uk, tglx@...utronix.de,
matwey@....msu.ru, sakari.ailus@...ux.intel.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
xiaojunzhao141@...il.com
Subject: Re: [PATCH] net: fix skb use after free in netpoll_send_skb_on_dev
From: Feng Sun <loyou85@...il.com>
Date: Sat, 24 Aug 2019 00:32:00 +0800
> After commit baeababb5b85d5c4e6c917efe2a1504179438d3b
> ("tun: return NET_XMIT_DROP for dropped packets"),
> when tun_net_xmit drop packets, it will free skb and return NET_XMIT_DROP,
> netpoll_send_skb_on_dev will run into two use after free cases:
I don't know what to do here.
Really, the intention of the design is that the only valid
->ndo_start_xmit() values are those with macro names fitting the
pattern NETDEV_TX_*, which means only NETDEV_TX_OK and NETDEV_TX_BUSY
are valid.
NET_XMIT_* values are for qdisc ->enqueue() methods.
Note, particularly, that when ->ndo_start_xmit() values are propagated
through ->enqueue() calls they get masked out with NET_XMIT_MASK.
However, I see that most of the code doing enqueueing and invocation
of ->ndo_start_xmit() use the dev_xmit_complete() helper to check this
condition.
So probably that is what netpoll should be using as well.
Powered by blists - more mailing lists