| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 28 Apr 2024 22:29:13 +0800
From: <shiming.cheng@...iatek.com>
To: <willemdebruijn.kernel@...il.com>, <edumazet@...gle.com>,
<davem@...emloft.net>, <kuba@...nel.org>, <pabeni@...hat.com>,
<matthias.bgg@...il.com>
CC: <linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
<shiming.cheng@...iatek.com>, Lena Wang <lena.wang@...iatek.com>
Subject: [PATCH net] net: prevent pulling SKB_GSO_FRAGLIST skb
From: Shiming Cheng <shiming.cheng@...iatek.com>
BPF or TC callers may pull in a length longer than skb_headlen()
for a SKB_GSO_FRAGLIST skb. The data in fraglist will be pulled
into the linear space. However it destroys the skb's structure
and may result in an invalid segmentation or kernel exception.
So we should add protection to stop the operation and return
error to remind callers.
Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
Signed-off-by: Shiming Cheng <shiming.cheng@...iatek.com>
Signed-off-by: Lena Wang <lena.wang@...iatek.com>
---
net/core/skbuff.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index f68f2679b086..2d35e009e814 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6100,6 +6100,12 @@ EXPORT_SYMBOL(skb_vlan_untag);
int skb_ensure_writable(struct sk_buff *skb, unsigned int write_len)
{
+ if (skb_is_gso(skb) &&
+ (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) &&
+ write_len > skb_headlen(skb)) {
+ return -ENOMEM;
+ }
+
if (!pskb_may_pull(skb, write_len))
return -ENOMEM;
--
2.18.0
Powered by blists - more mailing lists