lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 07 Sep 2011 13:20:56 +0800
From:	"Yan, Zheng" <zheng.z.yan@...el.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	"Yan, Zheng" <yanzheng@...n.com>,
	Tim Chen <tim.c.chen@...ux.intel.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"sfr@...b.auug.org.au" <sfr@...b.auug.org.au>,
	"jirislaby@...il.com" <jirislaby@...il.com>,
	"sedat.dilek@...il.com" <sedat.dilek@...il.com>,
	"Shi, Alex" <alex.shi@...el.com>
Subject: Re: [PATCH -next v2] unix stream: Fix use-after-free crashes

On 09/07/2011 01:08 PM, Eric Dumazet wrote:
> Le mercredi 07 septembre 2011 à 12:36 +0800, Yan, Zheng a écrit :
> 
>> I guess you misunderstood this code. Set scm_ref to false means skb will inherit
>> sender's reference. Then we call unix_scm_to_skb() with parameter
>> 'ref' == false.
>> So it doesn't get additional reference. I admit my patch is confusing,
>> but I think
>> Tim's new patch is OK. (even in the case of fail skb allocation or
>> user->kernel copy)
>>
> 
> I want to be able to review the code now, and in two or three years too,
> without spending hours and hours.
> 
> Could you _please_ guys send a patch, with :
> 
> 1) A good changelog : In this confusing area, this is probably more
> important than actual code.
Sorry for my poor English.

> 
> 2) right logic and right variable names
> 
> I am sorry, but this is not good :
> 
> +               /* encode scm in skb and use the scm ref */
> +               ref_avail = false;
> +               if (sent + size < len) { 
> +                       /* Only send the fds in the first buffer */
> +                       /* get additional ref if more skbs will be created */
> +                       err = unix_scm_to_skb(siocb->scm, skb, !fds_sent, true);
> +                       ref_avail = true;
> +               } else
> +                       err = unix_scm_to_skb(siocb->scm, skb, !fds_sent, false);
> 
> 

Is code like this OK? Thanks
---
	if (sent + size < len) { 
		/* Only send the fds in the first buffer */
		/* get additional ref if more skbs will be created */
		err = unix_scm_to_skb(siocb->scm, skb, !fds_sent, true);
	} else {
		err = unix_scm_to_skb(siocb->scm, skb, !fds_sent, false);
		ref_avail = false;
	}


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists