| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iKGqObLBOx-ZMJbYOJ3OSETDestrcf6Yj5HON0Pbda9tA@mail.gmail.com>
Date: Tue, 7 Nov 2023 04:40:08 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Minjie Du <duminjie@...o.com>
Cc: "David S. Miller" <davem@...emloft.net>,
David Ahern <dsahern@...nel.org>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
"open list:NETWORKING [TCP]" <netdev@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>,
opensource.kernel@...o.com
Subject: Re: [PATCH v1] net/tcp: use kfree_sensitive() instend of kfree() in tcp_md5_twsk_free_rcu()
On Tue, Nov 7, 2023 at 3:35 AM Minjie Du <duminjie@...o.com> wrote:
>
> key might contain private information, so better use
> kfree_sensitive to free it.
> In tcp_md5_twsk_free_rcu() use kfree_sensitive().
>
> Signed-off-by: Minjie Du <duminjie@...o.com>
> ---
> net/ipv4/tcp_minisocks.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
> index a9807eeb311c..a7be78096783 100644
> --- a/net/ipv4/tcp_minisocks.c
> +++ b/net/ipv4/tcp_minisocks.c
> @@ -368,7 +368,7 @@ static void tcp_md5_twsk_free_rcu(struct rcu_head *head)
> struct tcp_md5sig_key *key;
>
> key = container_of(head, struct tcp_md5sig_key, rcu);
> - kfree(key);
> + kfree_sensitive(key);
> static_branch_slow_dec_deferred(&tcp_md5_needed);
> tcp_md5_release_sigpool();
> }
> --
> 2.39.0
>
1) net-next is currently closed.
2) such patch could send a wrong signal (false sense of security with MD5)
3) You forgot tcp_time_wait_init(), tcp_md5_do_del(), tcp_md5_key_copy(),
tcp_md5_do_add(), tcp_clear_md5_list().
More work is needed I am afraid, please wait until next week when
6-7-rc1 is tagged and net-next opens again.
Powered by blists - more mailing lists