lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAPpAL=x-fVOkm=D_OeVLjWwUKThM=1FQFQBZyyBOrH30TEyZdA@mail.gmail.com>
Date: Wed, 5 Nov 2025 00:55:07 +0800
From: Lei Yang <leiyang@...hat.com>
To: Bui Quang Minh <minhquangbui99@...il.com>
Cc: "Michael S. Tsirkin" <mst@...hat.com>, Jason Wang <jasowang@...hat.com>, 
	Eugenio Pérez <eperezma@...hat.com>, 
	Andrew Lunn <andrew+netdev@...n.ch>, "David S. Miller" <davem@...emloft.net>, 
	Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, 
	Gavin Li <gavinl@...dia.com>, Gavi Teitz <gavi@...dia.com>, Parav Pandit <parav@...dia.com>, 
	virtualization@...ts.linux.dev, Xuan Zhuo <xuanzhuo@...ux.alibaba.com>, 
	linux-kernel@...r.kernel.org, stable@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH net v7] virtio-net: fix received length check in big packets

Tested this patch with virtio-net regression tests, everything works fine.

Tested-by: Lei Yang <leiyang@...hat.com>

On Mon, Nov 3, 2025 at 1:59 PM Xuan Zhuo <xuanzhuo@...ux.alibaba.com> wrote:
>
> On Thu, 30 Oct 2025 21:44:38 +0700, Bui Quang Minh <minhquangbui99@...il.com> wrote:
> > Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length
> > for big packets"), when guest gso is off, the allocated size for big
> > packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on
> > negotiated MTU. The number of allocated frags for big packets is stored
> > in vi->big_packets_num_skbfrags.
> >
> > Because the host announced buffer length can be malicious (e.g. the host
> > vhost_net driver's get_rx_bufs is modified to announce incorrect
> > length), we need a check in virtio_net receive path. Currently, the
> > check is not adapted to the new change which can lead to NULL page
> > pointer dereference in the below while loop when receiving length that
> > is larger than the allocated one.
> >
> > This commit fixes the received length check corresponding to the new
> > change.
> >
> > Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets")
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Bui Quang Minh <minhquangbui99@...il.com>
>
> Reviewed-by: Xuan Zhuo <xuanzhuo@...ux.alibaba.com>
>
> > ---
> > Changes in v7:
> > - Fix typos
> > - Link to v6: https://lore.kernel.org/netdev/20251028143116.4532-1-minhquangbui99@gmail.com/
> > Changes in v6:
> > - Fix the length check
> > - Link to v5: https://lore.kernel.org/netdev/20251024150649.22906-1-minhquangbui99@gmail.com/
> > Changes in v5:
> > - Move the length check to receive_big
> > - Link to v4: https://lore.kernel.org/netdev/20251022160623.51191-1-minhquangbui99@gmail.com/
> > Changes in v4:
> > - Remove unrelated changes, add more comments
> > - Link to v3: https://lore.kernel.org/netdev/20251021154534.53045-1-minhquangbui99@gmail.com/
> > Changes in v3:
> > - Convert BUG_ON to WARN_ON_ONCE
> > - Link to v2: https://lore.kernel.org/netdev/20250708144206.95091-1-minhquangbui99@gmail.com/
> > Changes in v2:
> > - Remove incorrect give_pages call
> > - Link to v1: https://lore.kernel.org/netdev/20250706141150.25344-1-minhquangbui99@gmail.com/
> > ---
> >  drivers/net/virtio_net.c | 25 ++++++++++++-------------
> >  1 file changed, 12 insertions(+), 13 deletions(-)
> >
> > diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
> > index a757cbcab87f..421b9aa190a0 100644
> > --- a/drivers/net/virtio_net.c
> > +++ b/drivers/net/virtio_net.c
> > @@ -910,17 +910,6 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi,
> >               goto ok;
> >       }
> >
> > -     /*
> > -      * Verify that we can indeed put this data into a skb.
> > -      * This is here to handle cases when the device erroneously
> > -      * tries to receive more than is possible. This is usually
> > -      * the case of a broken device.
> > -      */
> > -     if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) {
> > -             net_dbg_ratelimited("%s: too much data\n", skb->dev->name);
> > -             dev_kfree_skb(skb);
> > -             return NULL;
> > -     }
> >       BUG_ON(offset >= PAGE_SIZE);
> >       while (len) {
> >               unsigned int frag_size = min((unsigned)PAGE_SIZE - offset, len);
> > @@ -2107,9 +2096,19 @@ static struct sk_buff *receive_big(struct net_device *dev,
> >                                  struct virtnet_rq_stats *stats)
> >  {
> >       struct page *page = buf;
> > -     struct sk_buff *skb =
> > -             page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0);
> > +     struct sk_buff *skb;
> > +
> > +     /* Make sure that len does not exceed the size allocated in
> > +      * add_recvbuf_big.
> > +      */
> > +     if (unlikely(len > (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE)) {
> > +             pr_debug("%s: rx error: len %u exceeds allocated size %lu\n",
> > +                      dev->name, len,
> > +                      (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE);
> > +             goto err;
> > +     }
> >
> > +     skb = page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0);
> >       u64_stats_add(&stats->bytes, len - vi->hdr_len);
> >       if (unlikely(!skb))
> >               goto err;
> > --
> > 2.43.0
> >
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ