lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 08 Jun 2018 19:50:58 -0400 (EDT)
From:   David Miller <davem@...emloft.net>
To:     bjorn@...k.no
Cc:     netdev@...r.kernel.org, linux-usb@...r.kernel.org,
        bodqhrohro@...il.com, dennis.wassenberg@...unet.com,
        mrkiko.rs@...il.com
Subject: Re: [PATCH net,stable] cdc_ncm: avoid padding beyond end of skb

From: Bjørn Mork <bjorn@...k.no>
Date: Fri,  8 Jun 2018 09:15:24 +0200

> Commit 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end
> of NCM frame") added logic to reserve space for the NDP at the
> end of the NTB/skb.  This reservation did not take the final
> alignment of the NDP into account, causing us to reserve too
> little space. Additionally the padding prior to NDP addition did
> not ensure there was enough space for the NDP.
> 
> The NTB/skb with the NDP appended would then exceed the configured
> max size. This caused the final padding of the NTB to use a
> negative count, padding to almost INT_MAX, and resulting in:
 ...
> Commit e1069bbfcf3b ("net: cdc_ncm: Reduce memory use when kernel
> memory low") made this bug much more likely to trigger by reducing
> the NTB size under memory pressure.
> 
> Link: https://bugs.debian.org/893393
> Reported-by: Горбешко Богдан <bodqhrohro@...il.com>
> Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@...unet.com>
> Cc: Enrico Mioso <mrkiko.rs@...il.com>
> Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
> Signed-off-by: Bjørn Mork <bjorn@...k.no>
> ---
> Big thanks to Dennis for the observation that this crash depended on
> FLAG_SEND_ZLP not being set. This made it possible to pinpoint where
> the problem was.

Applied and queued up for -stable.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ