lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Mar 2018 21:03:40 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Dongli Zhang <dongli.zhang@...cle.com>, xen-devel@...ts.xenproject.org, linux-kernel@...r.kernel.org Cc: netdev@...r.kernel.org, paul.durrant@...rix.com, wei.liu2@...rix.com Subject: Re: [PATCH v2 1/1] xen-netback: process malformed sk_buff correctly to avoid BUG_ON() On 03/28/2018 08:51 PM, Dongli Zhang wrote: > The "BUG_ON(!frag_iter)" in function xenvif_rx_next_chunk() is triggered if > the received sk_buff is malformed, that is, when the sk_buff has pattern > (skb->data_len && !skb_shinfo(skb)->nr_frags). Below is a sample call > stack: > >... > > The issue is hit by xen-netback when there is bug with other networking > interface (e.g., dom0 physical NIC), who has generated and forwarded > malformed sk_buff to dom0 vifX.Y. It is possible to reproduce the issue on > purpose with below sample code in a kernel module: > > skb->dev = dev; // dev of vifX.Y > skb->len = 386; > skb->data_len = 352; > skb->tail = 98; > skb->end = 384; > skb_shinfo(skb)->nr_frags = 0; > dev->netdev_ops->ndo_start_xmit(skb, dev); > This would be a serious bug in the provider of such skb. Are you sure you do not have instead an skb with a chain of skbs ? (skb_shinfo(skb)->frag_list would be not NULL) Maybe your driver is wrongly advertising NETIF_F_FRAGLIST commit 2167ca029c244901831 would be the bug origin then...
Powered by blists - more mailing lists