net/rtdev: Commit e972e78e reintroduces memory corruption fixed by 74464ee3

Jouko Haapaluoma jouko.haapaluoma at wapice.com
Fri Mar 8 13:47:19 CET 2019


Hello

I have been investigating kernel memory corruption issues in our system (Xenomai 2.6.4 and RTnet 0.9.13.2).
I traced the root cause into the rtdev_map_rtskb() function where a linked list is always grown but not shrinked.
You have recently created a patch that fixes this: 74464ee3.

Additionally, there seemed to be a regression and that was fixed in e972e78e. However, this regression fix
reintroduces the memory corruption in cases where the rtdev does not have the rtdev->map_rtskb function defined.
Therefore we end up in the situation that was before the 74464ee3: The rtskb_mapwait_list will grow but not shrink.
If sockets are destroyed and recreated, the rtskb_mapwait_list->next will point to a destroyed skb object which causes a
use-after-free memory corruption when calling list_add().

Best Regards,
Jouko Haapaluoma
Senior Software Designer
Embedded Linux Technology Specialist
Wapice Ltd, Finland



More information about the Xenomai mailing list