| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180902.160144.542360312136980090.davem@davemloft.net>
Date: Sun, 02 Sep 2018 16:01:44 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: baijiaju1990@...il.com
Cc: ktkhai@...tuozzo.com, viro@...iv.linux.org.uk, adobriyan@...il.com,
dvlasenk@...hat.com, xiyou.wangcong@...il.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: scm: Fix a possible sleep-in-atomic-context bug
in scm_fp_copy()
From: Jia-Ju Bai <baijiaju1990@...il.com>
Date: Sat, 1 Sep 2018 18:00:26 +0800
> The kernel module may sleep with holding a spinlock.
>
> The function call paths (from bottom to top) in Linux-4.16 are:
>
> [FUNC] kmalloc(GFP_KERNEL)
> net/core/scm.c, 85: kmalloc in scm_fp_copy
> net/core/scm.c, 161: scm_fp_copy in __scm_send
> ./include/net/scm.h, 88: __scm_send in scm_send
> net/unix/af_unix.c, 1600: scm_send in maybe_init_creds
> net/unix/af_unix.c, 1983: maybe_init_creds in unix_stream_sendpage
> net/unix/af_unix.c, 1973: spin_lock in unix_stream_sendpage
Please, do a full analysis of the code for these changes you are
submitting.
Read maybe_init_creds(), it sets msg.msg_controllen to zero.
struct msghdr msg = { .msg_controllen = 0 };
When that is zero, __scm__send() is never called.
static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
struct scm_cookie *scm, bool forcecreds)
{
...
if (msg->msg_controllen <= 0)
return 0;
return __scm_send(sock, msg, scm);
If this bug existed, sleeping in atomic warnings would be triggering
all the time and people would report that.
Powered by blists - more mailing lists