lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <98aada63cb294d9ea4eb7807ccb42baa@SIXPR30MB031.064d.mgd.msft.net>
Date:	Tue, 28 Apr 2015 02:57:12 +0000
From:	Dexuan Cui <decui@...rosoft.com>
To:	KY Srinivasan <kys@...rosoft.com>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"devel@...uxdriverproject.org" <devel@...uxdriverproject.org>,
	"olaf@...fle.de" <olaf@...fle.de>,
	"apw@...onical.com" <apw@...onical.com>,
	"jasowang@...hat.com" <jasowang@...hat.com>
Subject: RE: [PATCH net 1/1] hv_netvsc: Fix a bug in netvsc_start_xmit()

> -----Original Message-----
> From: devel [mailto:driverdev-devel-bounces@...uxdriverproject.org] On
> Behalf Of K. Y. Srinivasan
> Sent: Tuesday, April 28, 2015 9:15
> To: davem@...emloft.net; netdev@...r.kernel.org; linux-
> kernel@...r.kernel.org; devel@...uxdriverproject.org; olaf@...fle.de;
> apw@...onical.com; jasowang@...hat.com
> Subject: [PATCH net 1/1] hv_netvsc: Fix a bug in netvsc_start_xmit()
> 
> Commit commit b08cc79155fc26d0d112b1470d1ece5034651a4b
> eliminated memory
> allocation in the packet send path. This commit introduced a bug since it
> did not account for the case if the skb was cloned. Fix this bug by
> using the pre-reserved head room only if the skb is not cloned.
> 
> Signed-off-by: K. Y. Srinivasan <kys@...rosoft.com>
> ---
>  drivers/net/hyperv/netvsc_drv.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/net/hyperv/netvsc_drv.c
> b/drivers/net/hyperv/netvsc_drv.c
> index a3a9d38..7eb0251 100644
> --- a/drivers/net/hyperv/netvsc_drv.c
> +++ b/drivers/net/hyperv/netvsc_drv.c
> @@ -421,7 +421,7 @@ check_size:
> 
>  	pkt_sz = sizeof(struct hv_netvsc_packet) + RNDIS_AND_PPI_SIZE;
> 
> -	if (head_room < pkt_sz) {
> +	if (skb->cloned ||  head_room < pkt_sz) {
>  		packet = kmalloc(pkt_sz, GFP_ATOMIC);
>  		if (!packet) {
>  			/* out of memory, drop packet */
> --

Without the patch, the guest can panic due to memory corruption.

I confirm the patch can fix the panic I saw.

Tested-by: Dexuan Cui <decui@...rosoft.com>

Thanks,
-- Dexuan
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ