lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 10 Apr 2021 13:00:34 +0200
From:   Eric Dumazet <edumazet@...gle.com>
To:     Phillip Potter <phil@...lpotter.co.uk>
Cc:     David Miller <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Willem de Bruijn <willemb@...gle.com>,
        linmiaohe <linmiaohe@...wei.com>,
        Yunsheng Lin <linyunsheng@...wei.com>,
        Alexander Lobakin <alobakin@...me>,
        Marco Elver <elver@...gle.com>,
        Guillaume Nault <gnault@...hat.com>,
        Dongseok Yi <dseok.yi@...sung.com>,
        Al Viro <viro@...iv.linux.org.uk>, vladimir.oltean@....com,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] net: core: sk_buff: zero-fill skb->data in __alloc_skb function

On Sat, Apr 10, 2021 at 12:12 PM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Sat, Apr 10, 2021 at 11:51 AM Phillip Potter <phil@...lpotter.co.uk> wrote:
> >
> > Zero-fill skb->data in __alloc_skb function of net/core/skbuff.c,
> > up to start of struct skb_shared_info bytes. Fixes a KMSAN-found
> > uninit-value bug reported by syzbot at:
> > https://syzkaller.appspot.com/bug?id=abe95dc3e3e9667fc23b8d81f29ecad95c6f106f
> >
> > Reported-by: syzbot+2e406a9ac75bb71d4b7a@...kaller.appspotmail.com
> > Signed-off-by: Phillip Potter <phil@...lpotter.co.uk>
> > ---
> >  net/core/skbuff.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> > index 785daff48030..9ac26cdb5417 100644
> > --- a/net/core/skbuff.c
> > +++ b/net/core/skbuff.c
> > @@ -215,6 +215,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
> >          * to allow max possible filling before reallocation.
> >          */
> >         size = SKB_WITH_OVERHEAD(ksize(data));
> > +       memset(data, 0, size);
> >         prefetchw(data + size);
>
>
> Certainly not.
>
> There is a difference between kmalloc() and kzalloc()
>
> Here you are basically silencing KMSAN and make it useless.
>
> Please fix the real issue, or stop using KMSAN if it bothers you.

My understanding of the KMSAN bug (when I released it months ago) was
that it was triggered by some invalid assumptions in geneve_xmit()

The syzbot repro sends a packet with a very small size (Ethernet
header only) and no IP/IPv6 header

Fix for ipv4 part (sorry, not much time during week end to test all this)

diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index e3b2375ac5eb55f544bbc1f309886cc9be189fd1..0a72779bc74bc50c20c34c05b2c525cca829f33c
100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -892,6 +892,9 @@ static int geneve_xmit_skb(struct sk_buff *skb,
struct net_device *dev,
        __be16 sport;
        int err;

+       if (!pskb_network_may_pull(skb, sizeof(struct iphdr))
+               return -EINVAL;
+
        sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
        rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info,
                              geneve->cfg.info.key.tp_dst, sport);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ