| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <05d630bf-7fa8-4495-6345-207f133ef746@blackwall.org>
Date: Tue, 20 Dec 2022 12:13:12 +0200
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: Joy Gu <jgu@...estorage.com>, bridge@...ts.linux-foundation.org
Cc: roopa@...dia.com, davem@...emloft.net, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, joern@...estorage.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: bridge: mcast: read ngrec once in igmp3/mld2 report
On 20/12/2022 04:48, Joy Gu wrote:
> In br_ip4_multicast_igmp3_report() and br_ip6_multicast_mld2_report(),
> "ih" or "mld2r" is a pointer into the skb header. It's dereferenced to
> get "num", which is used in the for-loop condition that follows.
>
> Compilers are free to not spend a register on "num" and dereference that
> pointer every time "num" would be used, i.e. every loop iteration. Which
> would be a bug if pskb_may_pull() (called by ip_mc_may_pull() or
> ipv6_mc_may_pull() in the loop body) were to change pointers pointing
> into the skb header, e.g. by freeing "skb->head".
>
> We can avoid this by using READ_ONCE().
>
> Suggested-by: Joern Engel <joern@...estorage.com>
> Signed-off-by: Joy Gu <jgu@...estorage.com>
> ---
> net/bridge/br_multicast.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
I doubt any compiler would do that (partly due to the ntohs()). If you have hit a bug or
seen this with some compiler please provide more details, disassembly of the resulting
code would be best.
Thanks.
Powered by blists - more mailing lists