lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20190916.214707.1312089672859838604.davem@davemloft.net>
Date:   Mon, 16 Sep 2019 21:47:07 +0200 (CEST)
From:   David Miller <davem@...emloft.net>
To:     dongli.zhang@...cle.com
Cc:     xen-devel@...ts.xenproject.org, netdev@...r.kernel.org,
        boris.ostrovsky@...cle.com, jgross@...e.com,
        sstabellini@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] xen-netfront: do not assume sk_buff_head list is
 empty in error handling

From: Dongli Zhang <dongli.zhang@...cle.com>
Date: Mon, 16 Sep 2019 11:46:59 +0800

> When skb_shinfo(skb) is not able to cache extra fragment (that is,
> skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS), xennet_fill_frags() assumes
> the sk_buff_head list is already empty. As a result, cons is increased only
> by 1 and returns to error handling path in xennet_poll().
> 
> However, if the sk_buff_head list is not empty, queue->rx.rsp_cons may be
> set incorrectly. That is, queue->rx.rsp_cons would point to the rx ring
> buffer entries whose queue->rx_skbs[i] and queue->grant_rx_ref[i] are
> already cleared to NULL. This leads to NULL pointer access in the next
> iteration to process rx ring buffer entries.
> 
> Below is how xennet_poll() does error handling. All remaining entries in
> tmpq are accounted to queue->rx.rsp_cons without assuming how many
> outstanding skbs are remained in the list.
> 
>  985 static int xennet_poll(struct napi_struct *napi, int budget)
> ... ...
> 1032           if (unlikely(xennet_set_skb_gso(skb, gso))) {
> 1033                   __skb_queue_head(&tmpq, skb);
> 1034                   queue->rx.rsp_cons += skb_queue_len(&tmpq);
> 1035                   goto err;
> 1036           }
> 
> It is better to always have the error handling in the same way.
> 
> Fixes: ad4f15dc2c70 ("xen/netfront: don't bug in case of too many frags")
> Signed-off-by: Dongli Zhang <dongli.zhang@...cle.com>

Applied and queued up for -stable.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ