漏洞标题
TCP: 管理混合splice()/sendmsg(MSG_ZEROCOPY)情况
漏洞描述信息
在Linux内核中,已解决以下漏洞:
TCP:处理混合splice()/sendmsg(MSG_ZEROCOPY)情况
syzbot发现,在同一TCP套接字上混合调用sendpage()和sendmsg(MSG_ZEROCOPY)会导致再次触发inet_sock_destruct()的著名警告:
```
WARN_ON(sk_forward_alloc_get(sk));
```
尽管Talal考虑了在相同的skb中混合常规复制数据和MSG_ZEROCOPY的情况,但sendpage()路径已被遗忘。
我们希望在sendpage()中发生计费,因为页面可能来自管道。所缺少的是,将纯零拷贝状态降级,以确保sk_forward_alloc保持同步。
添加tcp_downgrade_zcopy_pure()辅助函数,以便我们可以从两个调用者处使用它。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
漏洞类别
输入验证不恰当
漏洞标题
tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case
syzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY)
calls over the same TCP socket would again trigger the
infamous warning in inet_sock_destruct()
WARN_ON(sk_forward_alloc_get(sk));
While Talal took into account a mix of regular copied data
and MSG_ZEROCOPY one in the same skb, the sendpage() path
has been forgotten.
We want the charging to happen for sendpage(), because
pages could be coming from a pipe. What is missing is the
downgrading of pure zerocopy status to make sure
sk_forward_alloc will stay synced.
Add tcp_downgrade_zcopy_pure() helper so that we can
use it from the two callers.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于tcp模块中发现混合splice函数/sendmsg(MSG_ZEROCOPY)问题。在处理sendpage函数和sendmsg(MSG_ZEROCOPY)混合调用时,可能会导致inet_sock_destruct函数中的警告。
CVSS信息
N/A
漏洞类别
其他