| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 Sep 2022 17:41:23 -0700
From: Kees Cook <keescook@...omium.org>
To: Paolo Abeni <pabeni@...hat.com>
Cc: Vlastimil Babka <vbabka@...e.cz>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
"Ruhl, Michael J" <michael.j.ruhl@...el.com>,
Hyeonggon Yoo <42.hyeyoo@...il.com>,
Christoph Lameter <cl@...ux.com>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Alex Elder <elder@...nel.org>,
Josef Bacik <josef@...icpanda.com>,
David Sterba <dsterba@...e.com>,
Sumit Semwal <sumit.semwal@...aro.org>,
Christian König <christian.koenig@....com>,
Jesse Brandeburg <jesse.brandeburg@...el.com>,
Daniel Micay <danielmicay@...il.com>,
Yonghong Song <yhs@...com>, Marco Elver <elver@...gle.com>,
Miguel Ojeda <ojeda@...nel.org>, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, linux-btrfs@...r.kernel.org,
linux-media@...r.kernel.org, dri-devel@...ts.freedesktop.org,
linaro-mm-sig@...ts.linaro.org, linux-fsdevel@...r.kernel.org,
intel-wired-lan@...ts.osuosl.org, dev@...nvswitch.org,
x86@...nel.org, llvm@...ts.linux.dev,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2 04/16] skbuff: Phase out ksize() fallback for frag_size
On Sun, Sep 25, 2022 at 09:17:40AM +0200, Paolo Abeni wrote:
> On Fri, 2022-09-23 at 13:28 -0700, Kees Cook wrote:
> > All callers of APIs that allowed a 0-sized frag_size appear to be
> > passing actual size information already
>
> AFAICS, not yet:
>
> drivers/net/ethernet/qlogic/qed/qed_ll2.c:
> skb = build_skb(buffer->data, 0); // -> __build_skb(..., 0)
> // -> __build_skb_around()
>
> drivers/net/ethernet/broadcom/bnx2.c:
> skb = build_skb(data, 0);
>
> I guess some more drivers have calls leading to
>
> __build_skb_around(..., 0)
>
> there are several call path to checks...
Ah-ha! Thank you. I will try to hunt these down -- I think we can't
remove the "secret resizing" effect of ksize() without fixing these.
> > [...]
> > diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> > index 0b30fbdbd0d0..84ca89c781cd 100644
> > --- a/net/core/skbuff.c
> > +++ b/net/core/skbuff.c
> > @@ -195,7 +195,11 @@ static void __build_skb_around(struct sk_buff *skb, void *data,
> > unsigned int frag_size)
> > {
> > struct skb_shared_info *shinfo;
> > - unsigned int size = frag_size ? : ksize(data);
> > + unsigned int size = frag_size;
> > +
> > + /* All callers should be setting frag size now? */
> > + if (WARN_ON_ONCE(size == 0))
> > + size = ksize(data);
>
> At some point in the future, I guess we could even drop this check,
> right?
Alternatively, we might be able to ask the slab if "data" came from
kmalloc or a kmem_cache, and if the former, do:
data = krealloc(kmalloc_size_roundup(ksize(data), ...)
But that seems ugly...
--
Kees Cook
Powered by blists - more mailing lists