tap: use after free
Bug #1889735 reported by
Juerg Haefliger
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
If the socket buffer array of a tap queue is full, a received package needs to be dropped. Currently, the check for the array being full is performed lockless, which might lead to use-after-free errors if the socket buffer array has been resized.
[Test Case]
TBD.
[Regression Potential]
The check for the array being full is simply dropped. In case the array is full, subsequent frame handling will fail and the frame is eventually dropped. A regression would manifest itself if the frame is not dropped for whatever reason and inserted into the full (ring) buffer, overwriting the oldest frame in the buffer. So we'd end up with frame/packet loss.
description: | updated |
Changed in linux (Ubuntu): | |
status: | Incomplete → Invalid |
Changed in linux (Ubuntu Bionic): | |
status: | Incomplete → Confirmed |
description: | updated |
Changed in linux (Ubuntu Bionic): | |
status: | Confirmed → Fix Committed |
To post a comment you must log in.
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1889735
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.