From: Christopher Lameter <cl@linux.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: Kees Cook <keescook@chromium.org>,
Laura Abbott <labbott@redhat.com>,
Anton Eidelman <anton@lightbitslabs.com>,
Linux-MM <linux-mm@kvack.org>,
linux-hardened@lists.openwall.com
Subject: Re: HARDENED_USERCOPY will BUG on multiple slub objects coalesced into an sk_buff fragment
Date: Tue, 5 Jun 2018 14:51:22 +0000 [thread overview]
Message-ID: <01000163d06e5616-69f9336a-c45d-4aa0-9ff1-76354b8949e2-000000@email.amazonses.com> (raw)
In-Reply-To: <20180601205837.GB29651@bombadil.infradead.org>
On Fri, 1 Jun 2018, Matthew Wilcox wrote:
> > >> My take on the root cause:
> > >> When adding data to an skb, new data is appended to the current
> > >> fragment if the new chunk immediately follows the last one: by simply
> > >> increasing the frag->size, skb_frag_size_add().
> > >> See include/linux/skbuff.h:skb_can_coalesce() callers.
> >
> > Oooh, sneaky:
> > return page == skb_frag_page(frag) &&
> > off == frag->page_offset + skb_frag_size(frag);
> >
> > Originally I was thinking that slab red-zoning would get triggered
> > too, but I see the above is checking to see if these are precisely
> > neighboring allocations, I think.
> >
> > But then ... how does freeing actually work? I'm really not sure how
> > this seeming layering violation could be safe in other areas?
So if there are two neighboring slab objects that the page struct
addresses will match and the network code will coalesce the objects even
if they are in two different slab objects?
The check in skb_can_coalesce() must verify that these are distinct slab
object. Simple thing would be to return false if one object is a slab
object but then the coalescing would not work in a single slab object
either.
So what needs to happen is that we need to check if this is
1) A Page. Then the proper length of the segment within we can coalesce is
the page size.
2) A slab page. Then we can use ksize() to establish the end of the slab
object and we should only coalesce within that boundary.
prev parent reply other threads:[~2018-06-05 14:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-01 0:03 Anton Eidelman
2018-06-01 19:02 ` Laura Abbott
2018-06-01 20:49 ` Kees Cook
2018-06-01 20:58 ` Matthew Wilcox
2018-06-01 21:55 ` Kees Cook
2018-06-01 23:34 ` Anton Eidelman
2018-06-05 15:27 ` Christopher Lameter
2018-06-05 20:45 ` Anton Eidelman
2018-06-05 21:43 ` Christopher Lameter
2018-06-05 14:51 ` Christopher Lameter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01000163d06e5616-69f9336a-c45d-4aa0-9ff1-76354b8949e2-000000@email.amazonses.com \
--to=cl@linux.com \
--cc=anton@lightbitslabs.com \
--cc=keescook@chromium.org \
--cc=labbott@redhat.com \
--cc=linux-hardened@lists.openwall.com \
--cc=linux-mm@kvack.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox