lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aUAiAG2QaiM9mnl5@horms.kernel.org>
Date: Mon, 15 Dec 2025 14:58:08 +0000
From: Simon Horman <horms@...nel.org>
To: Frode Nordahl <fnordahl@...ntu.com>
Cc: "David S. Miller" <davem@...emloft.net>,
	David Ahern <dsahern@...nel.org>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Tariq Toukan <tariqt@...dia.com>, Cosmin Ratiu <cratiu@...dia.com>,
	Gal Pressman <gal@...dia.com>, Kees Cook <kees@...nel.org>,
	stable@...r.kernel.org, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net v2] erspan: Initialize options_len before referencing
 options.

On Sat, Dec 13, 2025 at 10:13:36AM +0000, Frode Nordahl wrote:
> The struct ip_tunnel_info has a flexible array member named
> options that is protected by a counted_by(options_len)
> attribute.
> 
> The compiler will use this information to enforce runtime bounds
> checking deployed by FORTIFY_SOURCE string helpers.
> 
> As laid out in the GCC documentation, the counter must be
> initialized before the first reference to the flexible array
> member.
> 
> After scanning through the files that use struct ip_tunnel_info
> and also refer to options or options_len, it appears the normal
> case is to use the ip_tunnel_info_opts_set() helper.
> 
> Said helper would initialize options_len properly before copying
> data into options, however in the GRE ERSPAN code a partial
> update is done, preventing the use of the helper function.
> 
> Before this change the handling of ERSPAN traffic in GRE tunnels
> would cause a kernel panic when the kernel is compiled with
> GCC 15+ and having FORTIFY_SOURCE configured:
> 
> memcpy: detected buffer overflow: 4 byte write of buffer size 0
> 
> Call Trace:
>  <IRQ>
>  __fortify_panic+0xd/0xf
>  erspan_rcv.cold+0x68/0x83
>  ? ip_route_input_slow+0x816/0x9d0
>  gre_rcv+0x1b2/0x1c0
>  gre_rcv+0x8e/0x100
>  ? raw_v4_input+0x2a0/0x2b0
>  ip_protocol_deliver_rcu+0x1ea/0x210
>  ip_local_deliver_finish+0x86/0x110
>  ip_local_deliver+0x65/0x110
>  ? ip_rcv_finish_core+0xd6/0x360
>  ip_rcv+0x186/0x1a0
> 
> Cc: stable@...r.kernel.org
> Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-counted_005fby-variable-attribute
> Reported-at: https://launchpad.net/bugs/2129580
> Fixes: bb5e62f2d547 ("net: Add options as a flexible array to struct ip_tunnel_info")
> Signed-off-by: Frode Nordahl <fnordahl@...ntu.com>
> ---
> v2:
>   - target correct netdev tree and properly cc stable in commit message.
>   - replace repeated long in-line comments and link with a single line.
>   - document search for any similar offenses in the code base in commit
>     message.
> v1: https://lore.kernel.org/all/20251212073202.13153-1-fnordahl@ubuntu.com/

Thanks for the updates.

Reviewed-by: Simon Horman <horms@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ