| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Dec 2015 14:33:05 -0800 From: Eric Dumazet <eric.dumazet@...il.com> To: Cong Wang <cwang@...pensource.com> Cc: pageexec@...email.hu, Daniele Fucini <dfucini@...il.com>, netdev <netdev@...r.kernel.org>, Jamal Hadi Salim <jhs@...atatu.com>, David Miller <davem@...emloft.net>, spender@...ecurity.net, re.emese@...il.com Subject: Re: size overflow in function qdisc_tree_decrease_qlen net/sched/sch_api.c On Tue, 2015-12-01 at 12:06 -0800, Eric Dumazet wrote: > On Tue, 2015-12-01 at 11:17 -0800, Cong Wang wrote: > > On Tue, Dec 1, 2015 at 11:09 AM, Eric Dumazet <eric.dumazet@...il.com> wrote: > > > On Tue, 2015-12-01 at 10:43 -0800, Cong Wang wrote: > > > > > >> This smells hacky... Another way to fix this is to hold the qdisc tree > > >> lock in mq_dump(), since it is not a hot path (comparing with > > >> enqueue/dequeue)? > > > > > > Really ? Which qdisc tree lock will protect you exactly ??? > > > > > > Whole point of MQ is that each TX queue has its own lock. > > > > > > So multiple cpus can call qdisc_tree_decrease_qlen() at the same time, > > > holding their own lock. > > > > > > Clearly modifying mq 'data' is wrong. > > > > Ah, yeah, but mq _seems_ also the only one who modifies sch->q.qlen > > in ->dump(), which is the root cause of this bug. I am wondering if it should > > just compute the qlen and return it without modifying sch->q.qlen. > > Sure, but then we still would get PAX underflows warnings ... > > Also need to take care of sch->qstats.drops += count; > > Also that would require a change of ->dump() api, since tc_fill_qdisc() > does : > > if (q->ops->dump && q->ops->dump(q, skb) < 0) > goto nla_put_failure; > qlen = q->q.qlen; > > Not sure it is worth the pain, changing signature of all ->dump() > handlers... > > > What about adding TCQ_F_NOPARENT and then : > > Note : Seems to be more invasive patch for net tree (need to properly > set TCQ_F_NOPARENT) Hmm... it looks like we have a much more serious bug : qdisc_lookup() calls qdisc_match_from_root(dev->qdisc, handle) without proper lock being held, so we might actually crash the host, if qdisc_tree_decrease_qlen() happens at the time qdiscs are changed. qdisc_tree_decrease_qlen() needs serious care :( Damned. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists