| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 May 2020 11:59:44 -0700
From: Martin KaFai Lau <kafai@...com>
To: John Fastabend <john.fastabend@...il.com>
CC: <jakub@...udflare.com>, <daniel@...earbox.net>,
<netdev@...r.kernel.org>, <bpf@...r.kernel.org>, <ast@...nel.org>
Subject: Re: [PATCH 1/2] bpf: sockmap, msg_pop_data can incorrecty set an sge
length
On Mon, May 04, 2020 at 10:21:23AM -0700, John Fastabend wrote:
> When sk_msg_pop() is called where the pop operation is working on
> the end of a sge element and there is no additional trailing data
> and there _is_ data in front of pop, like the following case,
>
>
> |____________a_____________|__pop__|
>
> We have out of order operations where we incorrectly set the pop
> variable so that instead of zero'ing pop we incorrectly leave it
> untouched, effectively. This can cause later logic to shift the
> buffers around believing it should pop extra space. The result is
> we have 'popped' more data then we expected potentially breaking
> program logic.
>
> It took us a while to hit this case because typically we pop headers
> which seem to rarely be at the end of a scatterlist elements but
> we can't rely on this.
>
> Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages")
> Signed-off-by: John Fastabend <john.fastabend@...il.com>
Acked-by: Martin KaFai Lau <kafai@...com>
Powered by blists - more mailing lists