lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 10 Jun 2022 07:37:36 +0000
From:   "zhudi (E)" <zhudi2@...wei.com>
To:     Eric Dumazet <edumazet@...gle.com>
CC:     Jamal Hadi Salim <jhs@...atatu.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Jiri Pirko <jiri@...nulli.us>,
        David Miller <davem@...emloft.net>,
        "Jakub Kicinski" <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        "Chenxiang (EulerOS)" <rose.chen@...wei.com>,
        "syzbot+7a12909485b94426aceb@...kaller.appspotmail.com" 
        <syzbot+7a12909485b94426aceb@...kaller.appspotmail.com>
Subject: 答复: [PATCH] fq_codel: Discard problematic packets with pkt_len 0

Thanks Eric, I'll take a look.


> On Fri, Jun 10, 2022 at 12:32 AM Eric Dumazet <edumazet@...gle.com> wrote:
> >
> > On Fri, Jun 10, 2022 at 12:07 AM Di Zhu <zhudi2@...wei.com> wrote:
> > >
> > > Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
> > > skbs, that is, the flow->head is null.
> > > The root cause is that: when the first queued skb with pkt_len 0, backlogs
> > > of the flow that this skb enqueued is still 0 and if sch->limit is set to
> > > 0 then fq_codel_drop() will be called. At this point, the backlogs of all
> > > flows are all 0, so flow with idx 0 is selected to drop, but this flow have
> > > not any skbs.
> > > skb with pkt_len 0 can break existing processing logic, so just discard
> > > these invalid skbs.
> > >
> > > LINK: [1]
> https://syzkaller.appspot.com/bug?id=0b84da80c2917757915afa89f7738a9d16e
> c96c5
> > >
> > > Reported-by: syzbot+7a12909485b94426aceb@...kaller.appspotmail.com
> > > Signed-off-by: Di Zhu <zhudi2@...wei.com>
> > > ---
> > >  net/sched/sch_fq_codel.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > >
> > > diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
> > > index 839e1235db05..c0f82b7358e1 100644
> > > --- a/net/sched/sch_fq_codel.c
> > > +++ b/net/sched/sch_fq_codel.c
> > > @@ -191,6 +191,9 @@ static int fq_codel_enqueue(struct sk_buff *skb,
> struct Qdisc *sch,
> > >         unsigned int pkt_len;
> > >         bool memory_limited;
> > >
> > > +       if (unlikely(!qdisc_pkt_len(skb)))
> > > +               return qdisc_drop(skb, sch, to_free);
> > > +
> >
> >
> > This has been discussed in the past.
> >
> 
> https://www.spinics.net/lists/netdev/msg777503.html
> 
> > Feeding ndo_start_xmit() in hundreds of drivers with zero-length
> > packets will crash anyway.
> >
> > We are not going to add such silly tests in all qdiscs, and then all
> > ndo_start_xmit(), since qdiscs are not mandatory.
> >
> > Please instead fix BPF layer, instead of hundreds of drivers/qdiscs.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ