lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20161202.140925.1784959728501874377.davem@davemloft.net>
Date:   Fri, 02 Dec 2016 14:09:25 -0500 (EST)
From:   David Miller <davem@...emloft.net>
To:     sd@...asysnail.net
Cc:     netdev@...r.kernel.org, linville@...driver.com
Subject: Re: [PATCH net] geneve: avoid use-after-free of skb->data

From: Sabrina Dubroca <sd@...asysnail.net>
Date: Fri,  2 Dec 2016 16:49:29 +0100

> geneve{,6}_build_skb can end up doing a pskb_expand_head(), which
> makes the ip_hdr(skb) reference we stashed earlier stale. Since it's
> only needed as an argument to ip_tunnel_ecn_encap(), move this
> directly in the function call.
> 
> Fixes: 08399efc6319 ("geneve: ensure ECN info is handled properly in all tx/rx paths")
> Signed-off-by: Sabrina Dubroca <sd@...asysnail.net>

Applied and queued up for -stable, thanks.

This bug happens so many times that I think it might be time for
a debugging mode for pskb_expand_head() that unconditionally
reallocates the skb->data buffer regardless of whether it's
necessary or not and somehow unmaps the previous buffer to
force a trap on stale pointers.

Better ideas welcome, of course :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ