On 200720 1946, Li Qiang wrote:
>
> This seems is the same issue as LP#1886362 .
> Look at the free path.
> Here the 'e1000e_write_to_rx_buffers' trigger DMA and then go to
> address space dispatch. So the DMA is not RAM but a MMIO range.
> Then we go to another send path, and in that we frees the
P J P 于2020年7月20日周一 下午8:57写道:
>
> +-- On Mon, 20 Jul 2020, Li Qiang wrote --+
> | This seems is the same issue as LP#1886362 . Look at the free path. Here the
> | 'e1000e_write_to_rx_buffers' trigger DMA and then go to address space
> | dispatch. So the DMA is not RAM but a MMIO range. Then we go
+-- On Mon, 20 Jul 2020, Li Qiang wrote --+
| This seems is the same issue as LP#1886362 . Look at the free path. Here the
| 'e1000e_write_to_rx_buffers' trigger DMA and then go to address space
| dispatch. So the DMA is not RAM but a MMIO range. Then we go to another send
| path, and in that we
Alexander Bulekov 于2020年7月20日周一 上午11:33写道:
>
> On 200720 0754, P J P wrote:
> > +-- On Fri, 17 Jul 2020, Li Qiang wrote --+
> > | P J P 于2020年7月17日周五 下午5:09写道:
> > | > @Alex, would it be possible to share the reproduces on the upstream bug
> > | > LP#1886362?
> > |
> > | Maybe you mean the reprod
On 200720 0754, P J P wrote:
> +-- On Fri, 17 Jul 2020, Li Qiang wrote --+
> | P J P 于2020年7月17日周五 下午5:09写道:
> | > @Alex, would it be possible to share the reproduces on the upstream bug
> | > LP#1886362?
> |
> | Maybe you mean the reproducer of your patch?
>
> Yes.
>
> | If you or Alex could
+-- On Fri, 17 Jul 2020, Li Qiang wrote --+
| P J P 于2020年7月17日周五 下午5:09写道:
| > @Alex, would it be possible to share the reproduces on the upstream bug
| > LP#1886362?
|
| Maybe you mean the reproducer of your patch?
Yes.
| If you or Alex could share it, I'm glad to analysis this issue.
@Alex
P J P 于2020年7月17日周五 下午5:09写道:
>
> +-- On Fri, 17 Jul 2020, Jason Wang wrote --+
> | Thanks but I don't see a direct relation between 64K limit and this
> | calltrace. Maybe you can elaborate more on this?
>
> The use-after-free is not function of the size per say; The reproducer given
> sends larg
+-- On Fri, 17 Jul 2020, Jason Wang wrote --+
| Thanks but I don't see a direct relation between 64K limit and this
| calltrace. Maybe you can elaborate more on this?
The use-after-free is not function of the size per say; The reproducer given
sends large(>64k) packets via loopback interface wit
On 2020/7/17 下午1:06, P J P wrote:
Hello Jason, all
+-- On Fri, 17 Jul 2020, Jason Wang wrote --+
| On 2020/7/17 上午9:21, Alexander Bulekov wrote:
| > On 200717 0853, Li Qiang wrote:
| >> Which issue are you trying to solve, any reference linking?
| >> I also send a patch related this part an
Hello Jason, all
+-- On Fri, 17 Jul 2020, Jason Wang wrote --+
| On 2020/7/17 上午9:21, Alexander Bulekov wrote:
| > On 200717 0853, Li Qiang wrote:
| >> Which issue are you trying to solve, any reference linking?
| >> I also send a patch related this part and also a UAF.
| >
| > I reported a UAF
On 2020/7/17 上午9:21, Alexander Bulekov wrote:
On 200717 0853, Li Qiang wrote:
P J P 于2020年7月17日周五 上午3:26写道:
From: Prasad J Pandit
While sending packets, the check that packet 'payload_len'
is within 64kB limit, seems to happen only for GSO frames.
It may lead to use-after-free or out-of-bo
On 200717 0853, Li Qiang wrote:
> P J P 于2020年7月17日周五 上午3:26写道:
> >
> > From: Prasad J Pandit
> >
> > While sending packets, the check that packet 'payload_len'
> > is within 64kB limit, seems to happen only for GSO frames.
> > It may lead to use-after-free or out-of-bounds access like
> > issues
P J P 于2020年7月17日周五 上午3:26写道:
>
> From: Prasad J Pandit
>
> While sending packets, the check that packet 'payload_len'
> is within 64kB limit, seems to happen only for GSO frames.
> It may lead to use-after-free or out-of-bounds access like
> issues when sending non-GSO frames. Check the 'payload
From: Prasad J Pandit
While sending packets, the check that packet 'payload_len'
is within 64kB limit, seems to happen only for GSO frames.
It may lead to use-after-free or out-of-bounds access like
issues when sending non-GSO frames. Check the 'payload_len'
limit for all packets, irrespective of
14 matches
Mail list logo
