lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 May 2020 11:59:44 -0700 From: Martin KaFai Lau <kafai@...com> To: John Fastabend <john.fastabend@...il.com> CC: <jakub@...udflare.com>, <daniel@...earbox.net>, <netdev@...r.kernel.org>, <bpf@...r.kernel.org>, <ast@...nel.org> Subject: Re: [PATCH 1/2] bpf: sockmap, msg_pop_data can incorrecty set an sge length On Mon, May 04, 2020 at 10:21:23AM -0700, John Fastabend wrote: > When sk_msg_pop() is called where the pop operation is working on > the end of a sge element and there is no additional trailing data > and there _is_ data in front of pop, like the following case, > > > |____________a_____________|__pop__| > > We have out of order operations where we incorrectly set the pop > variable so that instead of zero'ing pop we incorrectly leave it > untouched, effectively. This can cause later logic to shift the > buffers around believing it should pop extra space. The result is > we have 'popped' more data then we expected potentially breaking > program logic. > > It took us a while to hit this case because typically we pop headers > which seem to rarely be at the end of a scatterlist elements but > we can't rely on this. > > Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages") > Signed-off-by: John Fastabend <john.fastabend@...il.com> Acked-by: Martin KaFai Lau <kafai@...com>
Powered by blists - more mailing lists