[openib-general] Re: [PATCH] ipoib_mcast_restart_task

Michael S. Tsirkin mst at mellanox.co.il
Wed Apr 5 10:13:14 PDT 2006


Quoting r. Roland Dreier <rdreier at cisco.com>:
> Subject: Re: [PATCH] ipoib_mcast_restart_task
> 
>     Michael> The mcast pointer comes from stack.  Surely we could have
>     Michael> use after free in ipoib_mcast_join_complete trigger data
>     Michael> corruption on stack and then trip on it?
> 
> Now you're confusing me.  Isn't the mcast pointer kmalloc()ed?

Sorry about that.
I think the memory *it points to* is kmalloc()ed - the
the pointer itself I think comes from stack.

static void
ipoib_mcast_sendonly_join_complete(int status,
                                   struct ib_sa_mcmember_rec *mcmember,
                                   void *mcast_ptr)
{
        struct ipoib_mcast *mcast = mcast_ptr;
        struct net_device *dev = mcast->dev;

So all I had in mind was obvious things like:

Assume that you have mcast point to random kernel data.
doing things like skb_dequeue(&mcast->pkt_queue) will now do random things
to random memory locations, it could be stack or anything else.

-- 
MST



More information about the general mailing list