| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1459200597.6473.138.camel@edumazet-glaptop3.roam.corp.google.com> Date: Mon, 28 Mar 2016 14:29:57 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu> Cc: Jan Engelhardt <jengelh@...i.de>, David Miller <davem@...emloft.net>, sploving1@...il.com, Pablo Neira Ayuso <pablo@...filter.org>, Patrick McHardy <kaber@...sh.net>, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet On Mon, 2016-03-28 at 23:11 +0200, Jozsef Kadlecsik wrote: > In net/netfilter/nf_conntrack_proto_tcp.c we copy the options into a > buffer with skb_header_pointer(), so it's not a false positive there and > the KASAN report referred to that part. > Although the out of bound could be one extra byte, if skb_header_bpointer() had to copy something (since it also might return a pointer inside skb->head) No arch would possibly fault here. So reading one byte on the stack is fooling KASAN, but no ill effect would actually happen. If the read byte is < 2, the function would return because of if (opsize < 2) return; If the read byte is >= 2, the function would return because of if (opsize > length) return; /* don't parse partial options */ (Since we care here of the case where length == 1) No big deal, it is probably better to 'fix' the code so that it pleases dynamic checkers.
Powered by blists - more mailing lists