lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 19 Jan 2017 09:36:12 +0000
From:   Paul Durrant <Paul.Durrant@...rix.com>
To:     Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
        Sowmini Varadhan <sowmini.varadhan@...cle.com>,
        Wei Liu <wei.liu2@...rix.com>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "xen-devel@...ts.xenproject.org" <xen-devel@...ts.xenproject.org>
Subject: RE: [Xen-devel] xennet_start_xmit assumptions

> -----Original Message-----
> From: Konrad Rzeszutek Wilk [mailto:konrad.wilk@...cle.com]
> Sent: 18 January 2017 19:25
> To: Sowmini Varadhan <sowmini.varadhan@...cle.com>; Wei Liu
> <wei.liu2@...rix.com>; Paul Durrant <Paul.Durrant@...rix.com>
> Cc: netdev@...r.kernel.org; xen-devel@...ts.xenproject.org
> Subject: Re: [Xen-devel] xennet_start_xmit assumptions
> 
> On Wed, Jan 18, 2017 at 10:31:32AM -0500, Sowmini Varadhan wrote:
> > As I was playing around with pf_packet, I accidentally wrote
> > a buggy application program that bzero'ed the msghdr, then set
> > up the msg_name, msg_namelen correctly, and then did a sendmsg
> > on the pf_packet/SOCK_RAW fd.
> >
> > This causes packet_snd to set up an skb with a lot of issues,
> > e.g., skb->len = 0, skb_headlen(skb) is 0, etc. I think we can/should
> > drop the packet in packet_snd if the skb->len is 0, but there
> > may be other driver bugs going on:
> >
> > Turns out that ixgbe and sunvnet handle this problematic
> > skb correctly (they drop it and system remains stable),
> > but it creates a panic in xen_netfront (xennet_start_xmit()
> > hits a null pointer deref when xennet_make_first_txreq() returns
> > NULL)
> >
> > I'm new to the xen driver code, so I'm hoping that
> > the experts can comment here: reading the code in xennet_start_xmit,
> > it seems like it mandatorily requires the skb_headlen() to be
> > non-zero in order to create the first_tx? That may not always be
> > true, how does the code recover for purely non-linear skbs?

Hi Sowmini,

  Sounds like a straightforward bug to me... netfront should be able to handle an empty skb and clearly, if it's relying on skb_headlen() being non-zero, that's not the case.

  Paul

> >
> > --Sowmini
> 
> CC-ing the two folks from the MAINTAINERS file.

Powered by blists - more mailing lists