lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1371028618.3252.57.camel@edumazet-glaptop>
Date:	Wed, 12 Jun 2013 02:16:58 -0700
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Dave Wiltshire <david.wiltshire@....com>
Cc:	davem@...emloft.net, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org, nsujir@...adcom.com,
	mchan@...adcom.com, rmody@...cade.com, jcliburn@...il.com,
	chris.snook@...il.com, jeffrey.t.kirsher@...el.com,
	bruce.w.allan@...el.com, alexander.h.duyck@...el.com,
	cooldavid@...ldavid.org, linux-driver@...gic.com,
	linux-wimax@...el.com, wimax@...uxwimax.org,
	linux-wireless@...r.kernel.org, viro@...iv.linux.org.uk,
	eparis@...hat.com, edumazet@...gle.com, dev@...nvswitch.org,
	jhs@...atatu.com
Subject: Re: [PATCH 1/3] skbuff: Update truesize in pskb_expand_head

On Wed, 2013-06-12 at 19:05 +1000, Dave Wiltshire wrote:
> Some call sites to pskb_expand_head subsequently update the skb truesize
> and others don't (even with non-zero arguments). This is likely a memory
> audit leak. Fixed this up by moving the memory accounting to the
> skbuff.c file and removing it from the calling sites.
> 
> Signed-off-by: Dave Wiltshire <david.wiltshire@....com>
> ---
>  drivers/net/wireless/mwl8k.c |    1 -
>  kernel/audit.c               |    2 --
>  net/core/skbuff.c            |    1 +
>  net/netlink/af_netlink.c     |    3 +--
>  net/wireless/util.c          |    2 --
>  5 files changed, 2 insertions(+), 7 deletions(-)

Ouch.

Sorry, you cannot do that.

skb->truesize is really complex, because there is a strong relation
between skb->truesize and memory accounting on sockets.

So pskb_expand_head() should not touch skb->truesize.

Only callers can do that when needed, and if possible.

An example of very careful truesize manipulation can be found in
tcp_tso_segment()



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ