[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1315327182.2576.2985.camel@schen9-DESK>
Date: Tue, 06 Sep 2011 09:39:42 -0700
From: Tim Chen <tim.c.chen@...ux.intel.com>
To: "Yan, Zheng" <zheng.z.yan@...ux.intel.com>
Cc: sedat.dilek@...il.com,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"davem@...emloft.net" <davem@...emloft.net>,
"sfr@...b.auug.org.au" <sfr@...b.auug.org.au>,
"jirislaby@...il.com" <jirislaby@...il.com>
Subject: Re: [PATCH -next v2] unix stream: Fix use-after-free crashes
On Sun, 2011-09-04 at 16:23 +0800, Yan, Zheng wrote:
> On Sun, Sep 4, 2011 at 3:12 PM, Sedat Dilek <sedat.dilek@...glemail.com> wrote:
> > On Sun, Sep 4, 2011 at 7:44 AM, Yan, Zheng <zheng.z.yan@...el.com> wrote:
> >> Commit 0856a30409 (Scm: Remove unnecessary pid & credential references
> >> in Unix socket's send and receive path) introduced a use-after-free bug.
> >> It passes the scm reference to the first skb. Skb(s) afterwards may
> >> reference freed data structure because the first skb can be destructed
> >> by the receiver at anytime. The fix is by passing the scm reference to
> >> the very last skb.
> >>
> >
> > s/by passing/bypassing ?
>
> No
>
Maybe it is a clearer to say
The fix is by withholding the scm reference obtained at the beginning of
unix_stream_sendmsg via scm_send and pass it to the very last skb.
Tim
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists