| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Feb 2015 16:48:53 -0800
From: Eric Dumazet <eric.dumazet@...il.com>
To: Brian Rak <brak@...tr.com>
Cc: netdev@...r.kernel.org
Subject: Re: Repeatable IPv6 crash in 3.19.0-1
On Fri, 2015-02-27 at 16:37 -0500, Brian Rak wrote:
> I've been seeing a crash under 3.19.0 that seems to occur when I put
> heavy traffic across a macvtap/veth interface.
>
> We have a KVM guest attached to a veth pair using macvtap. We're
> routing IPv6 traffic into one end of the veth pair using some static
> routes. We do *not* have proxy_ndp enabled (though, we are using some
> software to do neighbor proxying - http://priv.nu/projects/ndppd/ ).
>
> I've been able to reproduce this pretty easily by downloading some large
> files from the guest. We see two traces in a row when this occurs:
Nice !
Crash is in neigh_hh_output()
-> memcpy(skb->data - HH_DATA_MOD, hh->hh_data, HH_DATA_MOD);
And there is only 14 bytes of headroom instead of 16.
Some layer did not align skb_headroom(skb) to HH_DATA_MOD for ethernet
header.
IPv4 has a paranoid section, not IPv6 :
/* Be paranoid, rather than too clever. */
if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) {
struct sk_buff *skb2;
skb2 = skb_realloc_headroom(skb, LL_RESERVED_SPACE(dev));
if (skb2 == NULL) {
kfree_skb(skb);
return -ENOMEM;
}
if (skb->sk)
skb_set_owner_w(skb2, skb->sk);
consume_skb(skb);
skb = skb2;
}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists