lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 20 Apr 2011 09:31:53 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Dmitry Kravkov <dmitry@...adcom.com>,
	David Miller <davem@...emloft.net>
Cc:	Eilon Greenstein <eilong@...adcom.com>,
	netdev <netdev@...r.kernel.org>
Subject: [PATCH] bnx2x: dont dereference tcp header on non tcp frames

Le mardi 19 avril 2011 à 18:11 +0200, Eric Dumazet a écrit :
> Hi guys
> 
> bnx2x_set_pbd_csum() / bnx2x_set_pbd_csum_e2() seem to read
> tcp_hdrlen(skb) even for non TCP frames ?
> 
> Also, (skb_network_header(skb) - skb->data) is signed, so 
> 	(skb_network_header(skb) - skb->data) / 2 is a bit expensive...
> 

I managed to trigger a kmemcheck fault using netperf -t UDP_RR

02:00.1 Ethernet controller: Broadcom Corporation NetXtreme II BCM57711E 10Gigabit PCIe

[  341.246514] WARNING: kmemcheck: Caught 8-bit read from uninitialized memory (ffff88011800ec30)
[  341.247155] c0a8146ea907c4550009aa456ed2000008000400040000001400030000000000
[  341.249789]  i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
[  341.252425]                                  ^
[  341.252773] 
[  341.252937] Pid: 4122, comm: netperf Not tainted 2.6.39-rc4-00237-ge3de956-dirty #549 HP ProLiant BL460c G6
[  341.253768] RIP: 0010:[<ffffffff812f5224>]  [<ffffffff812f5224>] bnx2x_start_xmit+0xce4/0x13f0
[  341.254476] RSP: 0018:ffff8801158b38b8  EFLAGS: 00010286
[  341.254879] RAX: ffff88011800ec24 RBX: ffff880118e44820 RCX: 0000000000000007
[  341.255400] RDX: 000000000000000a RSI: ffff880118e44820 RDI: ffff88011800ec40
[  341.255918] RBP: ffff8801158b39b8 R08: ffff88011800ec40 R09: ffff88011800ec00
[  341.256439] R10: 0000000000000000 R11: 000000006e14a8c0 R12: ffff880118f4db00
[  341.256958] R13: 0000000000000481 R14: 0000000000000040 R15: ffff880118ff18e0
[  341.257479] FS:  0000000000000000(0000) GS:ffff88011fc00000(0063) knlGS:00000000f77e16c0
[  341.258081] CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
[  341.258511] CR2: ffff880119856058 CR3: 0000000115879000 CR4: 00000000000006f0
[  341.259033] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  341.259551] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
[  341.260072]  [<ffffffff8137fac5>] dev_hard_start_xmit+0x365/0x690
[  341.260593]  [<ffffffff81398bf7>] sch_direct_xmit+0xb7/0x1c0
[  341.261091]  [<ffffffff81383da8>] dev_queue_xmit+0x1a8/0x5d0
[  341.261583]  [<ffffffff813c2842>] ip_finish_output+0x122/0x2f0
[  341.262122]  [<ffffffff813c163e>] ip_output+0x7e/0xc0
[  341.262609]  [<ffffffff813c1194>] ip_local_out+0x24/0x30
[  341.263114]  [<ffffffff813c11b6>] ip_send_skb+0x16/0x70
[  341.263611]  [<ffffffff813e1326>] udp_send_skb+0x126/0x380
[  341.264129]  [<ffffffff813e300c>] udp_sendmsg+0x2cc/0x790
[  341.264637]  [<ffffffff813eaf44>] inet_sendmsg+0x84/0xc0
[  341.265143]  [<ffffffff8136d98b>] sock_sendmsg+0xbb/0xf0
[  341.265646]  [<ffffffff8136e1e5>] sys_sendto+0x105/0x140
[  341.266151]  [<ffffffff8136e22f>] sys_send+0xf/0x20
[  341.266625]  [<ffffffff813969fd>] compat_sys_socketcall+0xfd/0x1f0
[  341.267186]  [<ffffffff8146b8e9>] sysenter_dispatch+0x7/0x27

[PATCH] bnx2x: dont dereference tcp header on non tcp frames

bnx2x_set_pbd_csum() & bnx2x_set_pbd_csum_e2() use 
tcp_hdrlen(skb) even for non TCP frames

Signed-off-by: Eric Dumazet <eric.dumazet@...il.com>
Cc: Dmitry Kravkov <dmitry@...adcom.com>
Cc: Eilon Greenstein <eilong@...adcom.com>
---
 drivers/net/bnx2x/bnx2x_cmn.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/net/bnx2x/bnx2x_cmn.c b/drivers/net/bnx2x/bnx2x_cmn.c
index e83ac6d..a16a638 100644
--- a/drivers/net/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/bnx2x/bnx2x_cmn.c
@@ -2019,7 +2019,9 @@ static inline void bnx2x_set_pbd_gso(struct sk_buff *skb,
 static inline  u8 bnx2x_set_pbd_csum_e2(struct bnx2x *bp, struct sk_buff *skb,
 	u32 *parsing_data, u32 xmit_type)
 {
-	*parsing_data |= ((tcp_hdrlen(skb)/4) <<
+	u8 tcphlen = (xmit_type & XMIT_CSUM_TCP) ? tcp_hdrlen(skb) : 0;
+
+	*parsing_data |= ((tcphlen/4) <<
 		ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW_SHIFT) &
 		ETH_TX_PARSE_BD_E2_TCP_HDR_LENGTH_DW;
 
@@ -2027,7 +2029,7 @@ static inline  u8 bnx2x_set_pbd_csum_e2(struct bnx2x *bp, struct sk_buff *skb,
 		ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W_SHIFT) &
 		ETH_TX_PARSE_BD_E2_TCP_HDR_START_OFFSET_W;
 
-	return skb_transport_header(skb) + tcp_hdrlen(skb) - skb->data;
+	return skb_transport_header(skb) + tcphlen - skb->data;
 }
 
 /**
@@ -2044,6 +2046,7 @@ static inline u8 bnx2x_set_pbd_csum(struct bnx2x *bp, struct sk_buff *skb,
 	u32 xmit_type)
 {
 	u8 hlen = (skb_network_header(skb) - skb->data) / 2;
+	u8 tcphlen = (xmit_type & XMIT_CSUM_TCP) ? tcp_hdrlen(skb) : 0;
 
 	/* for now NS flag is not used in Linux */
 	pbd->global_data =
@@ -2053,7 +2056,7 @@ static inline u8 bnx2x_set_pbd_csum(struct bnx2x *bp, struct sk_buff *skb,
 	pbd->ip_hlen_w = (skb_transport_header(skb) -
 			skb_network_header(skb)) / 2;
 
-	hlen += pbd->ip_hlen_w + tcp_hdrlen(skb) / 2;
+	hlen += pbd->ip_hlen_w + tcphlen / 2;
 
 	pbd->total_hlen_w = cpu_to_le16(hlen);
 	hlen = hlen*2;


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ