lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 5 Jul 2018 13:34:54 +0200
From:   Stefan Schmidt <stefan@...enfreihafen.org>
To:     Michael Scott <michael@...nsourcefoundries.com>
Cc:     Alexander Aring <alex.aring@...il.com>,
        Jukka Rissanen <jukka.rissanen@...ux.intel.com>,
        "David S. Miller" <davem@...emloft.net>,
        linux-bluetooth@...r.kernel.org, linux-wpan@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] 6lowpan: iphc: reset mac_header after decompress to fix
 panic

Hello Jukka.

On 20.06.2018 01:44, Michael Scott wrote:
> After decompression of 6lowpan socket data, an IPv6 header is inserted
> before the existing socket payload.  After this, we reset the
> network_header value of the skb to account for the difference in payload
> size from prior to decompression + the addition of the IPv6 header.
> 
> However, we fail to reset the mac_header value.
> 
> Leaving the mac_header value untouched here, can cause a calculation
> error in net/packet/af_packet.c packet_rcv() function when an
> AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
> interface.
> 
> On line 2088, the data pointer is moved backward by the value returned
> from skb_mac_header().  If skb->data is adjusted so that it is before
> the skb->head pointer (which can happen when an old value of mac_header
> is left in place) the kernel generates a panic in net/core/skbuff.c
> line 1717.
> 
> This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
> 802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
> sources for compression and decompression.
> 
> Signed-off-by: Michael Scott <michael@...nsourcefoundries.com>
> ---
>  net/6lowpan/iphc.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
> index 6b1042e21656..52fad5dad9f7 100644
> --- a/net/6lowpan/iphc.c
> +++ b/net/6lowpan/iphc.c
> @@ -770,6 +770,7 @@ int lowpan_header_decompress(struct sk_buff *skb, const struct net_device *dev,
>  		hdr.hop_limit, &hdr.daddr);
>  
>  	skb_push(skb, sizeof(hdr));
> +	skb_reset_mac_header(skb);
>  	skb_reset_network_header(skb);
>  	skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));
>  
> 


Alex acked this patch for the ieee802154 side. Could you test it for the
bluetooth 6lowpan side and ack or nack as well?

So far plain 6lowpan subsystem patches would still go through the
bluetooth tree after Alex and you acked them. I guess Marcel or Johan
just waiting for your review.

regards
Stefan Schmidt

Powered by blists - more mailing lists