lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Thu, 24 Jan 2013 12:13:10 +0100
From:	Alex Lochmann <alexander.lochmann@...-dortmund.de>
To:	netdev@...r.kernel.org
Subject: Extending struct sk_buff

Hi all,

i'm currently writing a patch to annotate a single sendmsg-call with 
meta information - like a maximum amount of time this data could be delayed.
Thus i extended the sendmsg systemcall to handle a recently added 
MSG_MSGMETA flag, which tells the kernel to copy the struct msgmeta as 
well as the struct msghdr from userspace.
This information needs be propagated  to the qdisc, so it can delay a 
single sk_buff until the maximum delay is reached. Therefore i modified 
the tcp subsystem (tcp_sendmsg) to assign the pointer to a kmalloced 
kernelspace to a member of struct sk_buff.
Each time i assign this pointer i increment a referencecounter located 
in the struct msgmeta. After doing so i'm able to decrement it on each 
call to __kfree_skbuff. If the counter reaches zero, i free the 
allocated kernelspace.
Sometimes a skbuff gets freeed during the context of a syscall, 
everything goes fine.

If the kernel tries to access the allocated kernelspace, after returning 
to userspace, the memory area gets corrupted.....
The kernellog says the following:
[  189.445630] [msgmeta] Assign msgmeta(0xf5d516d0) to skb(0xf3c4a480)
[  189.445636] [msgmeta] Assigned msgmeta(0xf5d516d0) to skb(0xf3c4a480) 
- delay is: 0x133700, refcnt is: 0x1
[  189.445646] [msgmeta] Assign msgmeta(0xf5d516d0) to skb(0xf3c4a530)
[  189.445651] [msgmeta] Assigned msgmeta(0xf5d516d0) to skb(0xf3c4a530) 
- delay is: 0x133700, refcnt is: 0x2
[  189.445666] [msgmeta] Assign msgmeta(0xf5d516d0) to skb(0xf4ac4540)
[  189.445671] [msgmeta] Assigned msgmeta(0xf5d516d0) to skb(0xf4ac4540) 
- delay is: 0x133700, refcnt is: 0x3
[  189.445680] [msgmeta] Not freeing msgmeta(0xf5d516d0), there are 
still references to it (0x2). Cloned? 0
[  189.445719] [msgmeta] return to userspace
[  189.445974] [msgmeta] Magic value corrupted! skb = 0xf3c4a480, meta = 
0xf5d516d0, magicA = 0xf5d51e00, delay = 0x133700, magicB = 0xff350011, 
counter = 0x2, phys = 0x35d516d0, function: (null)
[  189.445983] [msgmeta] Not freeing msgmeta(0xf5d516d0), there are 
still references to it (0x1). Cloned? 0

I don't know what's goging wrong. :-(
Can you please help me?

Thanks in advance!

Greetings
Alex

View attachment "msgmeta.patch" of type "text/x-patch" (12390 bytes)

Powered by blists - more mailing lists