lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 3 Oct 2015 18:21:54 +0100
From:	Andrej <andrej@....si>
To:	linux-kernel@...r.kernel.org
Cc:	romieu@...zoreil.com, davem@...emloft.net
Subject: via-rhine: fix VLAN receive handling error in 4.2.x

Hi,


via-rhine driver in 4.2.x kernels doesn’t correctly parse VLAN ID on receive. A bug was introduced in the commit 810f19bcb862f8889b27e0c9d9eceac9593925dd. All 4.2.x kernels are affected. 4.1.x and older kernels are not affected.

During code refactoring, the sequence of calls changed which introduced a regression. Original sequence was:
 1) Read TCI from skb->data
 2) Determine eth protocol using eth_type_trans (which calls skb_pull_inline)
 3) Write TCI to skb->vlan_tci

After the change, the sequence is:
 1) Determine protocol using eth_type_trans (which calls skb_pull_inline)
 2) Read TCI from skb->data
 3) Write TCI to skb->vlan_tci

Because eth_type_trans consumes ethernet header worth of bytes, a call to read TCI from packet no longer works as expected as it’s reading from invalid offset.

Choosing between changing rhine_get_vlan_tci(), which retrieves TCI from skb->data, or moving eth_type_trans() invocation after rhine_rx_vlan_tag(), I chose the latter.


Andrej.


--- linux-4.2.2.orig/drivers/net/ethernet/via/via-rhine.c       2015-10-03 15:46:59.817000000 +0200
+++ linux-4.2.2/drivers/net/ethernet/via/via-rhine.c    2015-10-03 18:53:51.799000000 +0200
@@ -2134,10 +2134,11 @@
 			}
 
 			skb_put(skb, pkt_len);
-			skb->protocol = eth_type_trans(skb, dev);
 
 			rhine_rx_vlan_tag(skb, desc, data_size);
 
+			skb->protocol = eth_type_trans(skb, dev);
+
 			netif_receive_skb(skb);
 
 			u64_stats_update_begin(&rp->rx_stats.syncp);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ