lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZKPgkgiddAl9qddT@gondor.apana.org.au>
Date:   Tue, 4 Jul 2023 17:04:18 +0800
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     David Howells <dhowells@...hat.com>
Cc:     Ondrej Mosnacek <omosnacek@...il.com>,
        Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
        Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        regressions@...ts.linux.dev
Subject: Re: Regression bisected to "crypto: af_alg: Convert
 af_alg_sendpage() to use MSG_SPLICE_PAGES"

On Tue, Jul 04, 2023 at 09:50:37AM +0100, David Howells wrote:
> One problem with libkcapi is that it's abusing vmsplice().  It must not use
> vmsplice(SPLICE_F_GIFT) on a buffer that's in the heap.  To quote the manual
> page:
> 
> 	      The user pages are a gift to the kernel.   The  application  may
>               not  modify  this  memory ever, otherwise the page cache and on-
>               disk data may differ.  Gifting pages to the kernel means that  a
>               subsequent  splice(2)  SPLICE_F_MOVE  can  successfully move the
>               pages;  if  this  flag  is  not  specified,  then  a  subsequent
>               splice(2)  SPLICE_F_MOVE must copy the pages.  Data must also be
>               properly page aligned, both in memory and length.
> 
> Basically, this can destroy the integrity of the process's heap as the
> allocator may have metadata there that then gets excised.

All it's saying is that if you modify the data after sending it off
via splice then the data that will be on the wire is undefined.

There is no reason why this should crash.

> If I remove the flag, it still crashes, so that's not the only problem.

If we can't fix this the patches should be reverted.

Thanks,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ