lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9fa577cf-0999-431c-bfc9-e7911601543c@gmail.com>
Date: Tue, 8 Jul 2025 21:26:36 +0700
From: Bui Quang Minh <minhquangbui99@...il.com>
To: Jason Wang <jasowang@...hat.com>
Cc: netdev@...r.kernel.org, "Michael S. Tsirkin" <mst@...hat.com>,
 Xuan Zhuo <xuanzhuo@...ux.alibaba.com>, Eugenio Pérez
 <eperezma@...hat.com>, Andrew Lunn <andrew+netdev@...n.ch>,
 "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
 Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
 Gavin Li <gavinl@...dia.com>, Gavi Teitz <gavi@...dia.com>,
 Parav Pandit <parav@...dia.com>, virtualization@...ts.linux.dev,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] virtio-net: fix received length check in big packets

On 7/7/25 10:48, Jason Wang wrote:
> On Sun, Jul 6, 2025 at 10:12 PM Bui Quang Minh <minhquangbui99@...il.com> wrote:
>> Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length
>> for big packets"), the allocated size for big packets is not
>> MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The
>> number of allocated frags for big packets is stored in
>> vi->big_packets_num_skbfrags. This commit fixes the received length
>> check corresponding to that change. The current incorrect check can lead
>> to NULL page pointer dereference in the below while loop when erroneous
>> length is received.
>>
>> Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets")
>> Signed-off-by: Bui Quang Minh <minhquangbui99@...il.com>
>> ---
>>   drivers/net/virtio_net.c | 10 +++++++---
>>   1 file changed, 7 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
>> index 5d674eb9a0f2..ead1cd2fb8af 100644
>> --- a/drivers/net/virtio_net.c
>> +++ b/drivers/net/virtio_net.c
>> @@ -823,7 +823,7 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi,
>>   {
>>          struct sk_buff *skb;
>>          struct virtio_net_common_hdr *hdr;
>> -       unsigned int copy, hdr_len, hdr_padded_len;
>> +       unsigned int copy, hdr_len, hdr_padded_len, max_remaining_len;
>>          struct page *page_to_free = NULL;
>>          int tailroom, shinfo_size;
>>          char *p, *hdr_p, *buf;
>> @@ -887,12 +887,16 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi,
>>           * tries to receive more than is possible. This is usually
>>           * the case of a broken device.
>>           */
>> -       if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) {
>> +       BUG_ON(offset >= PAGE_SIZE);
>> +       max_remaining_len = (unsigned int)PAGE_SIZE - offset;
>> +       max_remaining_len += vi->big_packets_num_skbfrags * PAGE_SIZE;
>> +       if (unlikely(len > max_remaining_len)) {
>>                  net_dbg_ratelimited("%s: too much data\n", skb->dev->name);
>>                  dev_kfree_skb(skb);
>> +               give_pages(rq, page);
> Should this be an independent fix?

I've realized this is not needed. In receive_big(), if page_to_skb() 
returns NULL then give_pages() is called. I'll remove this in next version.

Thanks,
Quang Minh.

>
>>                  return NULL;
>>          }
>> -       BUG_ON(offset >= PAGE_SIZE);
>> +
>>          while (len) {
>>                  unsigned int frag_size = min((unsigned)PAGE_SIZE - offset, len);
>>                  skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page, offset,
>> --
>> 2.43.0
>>
> Thanks
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ