lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <D4E91882-A53B-44CC-9741-14B19B863C9F@gmail.com>
Date:   Tue, 9 Nov 2021 00:44:14 +0900
From:   kaz1020 <kaz1020@...il.com>
To:     Antonio Messina <amessina@...gle.com>
Cc:     linux-kernel@...r.kernel.org, davem@...emloft.net,
        kuznet@....inr.ac.ru, yoshfuji@...ux-ipv6.org,
        netdev@...r.kernel.org
Subject: Re: [PATCH] udp: fix integer overflow while computing available space
 in sk_rcvbuf

Antonio Messina at Google,
Linux Kernel maintainers,

I read the following fraud Google Blog.
https://cloud.google.com/blog/topics/inside-google-cloud/google-cloud-support-engineer-solves-a-tough-dns-case

I require Antonio Messina the fulfillment of obligations.
Antonio Messina accepted the following requests on June 27, 2020.

I requested Antonio Messina to correct his mistakes.
- Rewrite the article on fraud Google Blog
- Send the new patch I proposed

Past, I explained the following result to Antonio Messina and Google.

Abstract:
The “size" variable of the following line will be removed.
Line: https://github.com/torvalds/linux/blob/v5.4/net/ipv4/udp.c#L1478

Because comparing "to be allocated buffer size" and "Max buffer size" + "size."
Antonio Messina's mistake: if (rmem > (unsigned int)(size + sk->sk_rcvbuf))
The fix I propose: if (rmem > sk->sk_rcvbuf)
 
Details:
In the function __udp_enqueue_schedule_skb.
- rmem: Same as sk->sk_rmem_alloc.
  -- It means allocated or to be allocated buffer size.
- sk->sk_rcvbuf: Max buffer size(purpose to limit the buffer size).
- size: Same as skb->truesize.
  -- It means a packet size.

The original problem is committed by: 
https://github.com/torvalds/linux/commit/363dc73acacbbcdae98acf5612303e9770e04b1d
In addition, the condition sentence has been corrupted before this commit.

Antonio Messina sent a poor patch: 
https://lkml.org/lkml/2019/12/19/482

-- 
Fix it,
kaz1020

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ