lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANn89i+PQ0Z5LHoTfBixJ9gzAcWD9_8dWccO80gSPx+uZ_wujA@mail.gmail.com>
Date:   Fri, 10 Jun 2022 00:35:04 -0700
From:   Eric Dumazet <edumazet@...gle.com>
To:     Di Zhu <zhudi2@...wei.com>
Cc:     Jamal Hadi Salim <jhs@...atatu.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Jiri Pirko <jiri@...nulli.us>,
        David Miller <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>, rose.chen@...wei.com,
        syzbot+7a12909485b94426aceb@...kaller.appspotmail.com
Subject: Re: [PATCH] fq_codel: Discard problematic packets with pkt_len 0

On Fri, Jun 10, 2022 at 12:32 AM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Fri, Jun 10, 2022 at 12:07 AM Di Zhu <zhudi2@...wei.com> wrote:
> >
> > Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
> > skbs, that is, the flow->head is null.
> > The root cause is that: when the first queued skb with pkt_len 0, backlogs
> > of the flow that this skb enqueued is still 0 and if sch->limit is set to
> > 0 then fq_codel_drop() will be called. At this point, the backlogs of all
> > flows are all 0, so flow with idx 0 is selected to drop, but this flow have
> > not any skbs.
> > skb with pkt_len 0 can break existing processing logic, so just discard
> > these invalid skbs.
> >
> > LINK: [1] https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16ec96c5
> >
> > Reported-by: syzbot+7a12909485b94426aceb@...kaller.appspotmail.com
> > Signed-off-by: Di Zhu <zhudi2@...wei.com>
> > ---
> >  net/sched/sch_fq_codel.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
> > index 839e1235db05..c0f82b7358e1 100644
> > --- a/net/sched/sch_fq_codel.c
> > +++ b/net/sched/sch_fq_codel.c
> > @@ -191,6 +191,9 @@ static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch,
> >         unsigned int pkt_len;
> >         bool memory_limited;
> >
> > +       if (unlikely(!qdisc_pkt_len(skb)))
> > +               return qdisc_drop(skb, sch, to_free);
> > +
>
>
> This has been discussed in the past.
>

https://www.spinics.net/lists/netdev/msg777503.html

> Feeding ndo_start_xmit() in hundreds of drivers with zero-length
> packets will crash anyway.
>
> We are not going to add such silly tests in all qdiscs, and then all
> ndo_start_xmit(), since qdiscs are not mandatory.
>
> Please instead fix BPF layer, instead of hundreds of drivers/qdiscs.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ