lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 5 Dec 2013 16:09:22 -0800
From:	Michael Dalton <mwdalton@...gle.com>
To:	"David S. Miller" <davem@...emloft.net>
Cc:	netdev@...r.kernel.org, Eric Dumazet <edumazet@...gle.com>,
	Rusty Russell <rusty@...tcorp.com.au>,
	"Michael S. Tsirkin" <mst@...hat.com>,
	Jason Wang <jasowang@...hat.com>,
	Andrey Vagin <avagin@...nvz.org>,
	lf-virt <virtualization@...ts.linux-foundation.org>,
	Michael Dalton <mwdalton@...gle.com>
Subject: Re: [PATCH v2] virtio-net: free bufs correctly on invalid packet length

Hi,

A quick note on this patch: I have confirmed that without this
patch a kernel crash occurs if we force a 'packet too short' error
sufficiently many times. This patch eliminates the kernel crash.

Since this crash would be triggered by a hypervisor bug, I made a
small change not reflected in the above patch to make the crash easier
to reproduce for testing purposes. I treated 1 out of every 128 packets
with len < MERGE_BUFFER_LEN as 'too short'. With this change in
place, just running netperf will cause the sender to crash very quickly
(the receiver will transmit pure data ACKs that meet the drop criteria).

If anyone would like to reproduce the crash using the above setup,
I added an unsigned int num_packets field to struct receive_queue and
changed the if condition for the packet too short check in receive_buf()
from:
        if (unlikely(len < sizeof(struct virtio_net_hdr) + ETH_HLEN)) {
to:
        if (unlikely((len < sizeof(struct virtio_net_hdr) + ETH_HLEN) ||
                     (len < MERGE_BUFFER_LEN &&
                      ((++rq->num_packets & 127) == 0)))) {

Best,

Mike
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ