| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1471372748.4943.7.camel@edumazet-glaptop3.roam.corp.google.com>
Date: Tue, 16 Aug 2016 11:39:08 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: netdev@...r.kernel.org, Marco Grassi <marco.gra@...il.com>,
Yuchung Cheng <ycheng@...gle.com>,
Neal Cardwell <ncardwell@...gle.com>
Subject: Re: Fw: Linux tcp_xmit_retransmit_queue use after free on 4.8-rc1 /
master]
On Tue, 2016-08-16 at 08:39 -0700, Eric Dumazet wrote:
> On Tue, 2016-08-16 at 12:45 +0200, Greg KH wrote:
> > For some reason Marco's emails can't make it to netdev, so I'm
> > forwarding this on. Please cc: him on responses.
>
> Thanks for the report Greg and Marco.
>
> My first guess is this is caused by
>
> d41a69f1d390 tcp: make tcp_sendmsg() aware of socket backlog
>
> And a combination of funky sendmsg() flags (like FastOpen)
>
> I will look at this problem today.
>
No, above commit was innocent ;)
It looks like the bug is very old, and following patch would fix it.
I will submit it formally after few tests.
diff --git a/include/net/tcp.h b/include/net/tcp.h
index c00e7d51bb18..7717302cab91 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1523,6 +1523,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
{
if (sk->sk_send_head == skb_unlinked)
sk->sk_send_head = NULL;
+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
+ tcp_sk(sk)->highest_sack = NULL;
}
static inline void tcp_init_send_head(struct sock *sk)
Powered by blists - more mailing lists