| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Oct 2019 02:46:11 -0700
From: Matthew Wilcox <willy@...radead.org>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>,
Eric Dumazet <eric.dumazet@...il.com>,
Soheil Hassas Yeganeh <soheil@...gle.com>,
syzbot <syzkaller@...glegroups.com>
Subject: Re: [PATCH net] tcp: fix slab-out-of-bounds in tcp_zerocopy_receive()
On Wed, Oct 02, 2019 at 08:19:59PM -0700, Eric Dumazet wrote:
> Apparently a refactoring patch brought a bug, that was caught
> by syzbot [1]
That wasn't refactoring. As you know (because we talked about it at
LSFMM), this is an enabling patch for supporting hch's work to fix
get_user_pages().
> Original code was correct, do not try to be smarter than the
> compiler :/
That wasn't an attempt to be smarter than the compiler. I was trying
to keep the line length below 80 columns. Which you probably now see
that you haven't done.
I must have a blind spot here. I can't see the difference between the
two versions.
> +++ b/net/ipv4/tcp.c
> @@ -1798,13 +1798,11 @@ static int tcp_zerocopy_receive(struct sock *sk,
> }
> if (skb_frag_size(frags) != PAGE_SIZE || skb_frag_off(frags)) {
> int remaining = zc->recv_skip_hint;
> - int size = skb_frag_size(frags);
>
> - while (remaining && (size != PAGE_SIZE ||
> + while (remaining && (skb_frag_size(frags) != PAGE_SIZE ||
> skb_frag_off(frags))) {
> - remaining -= size;
> + remaining -= skb_frag_size(frags);
> frags++;
> - size = skb_frag_size(frags);
> }
> zc->recv_skip_hint -= remaining;
> break;
> --
> 2.23.0.581.g78d2f28ef7-goog
>
Powered by blists - more mailing lists