lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <AM4PR0501MB1940F79651D521A7D4DAA512DB160@AM4PR0501MB1940.eurprd05.prod.outlook.com>
Date:   Wed, 3 May 2017 11:45:04 +0000
From:   Ilan Tayari <ilant@...lanox.com>
To:     Steffen Klassert <steffen.klassert@...unet.com>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: RE: [PATCH net-next] net/esp4: Fix invalid esph pointer crash



> -----Original Message-----
> From: Steffen Klassert [mailto:steffen.klassert@...unet.com]
> 
> On Sun, Apr 30, 2017 at 04:34:38PM +0300, ilant@...lanox.com wrote:
> > From: Ilan Tayari <ilant@...lanox.com>
> >
> > Both esp_output and esp_xmit take a pointer to the ESP header
> > and place it in esp_info struct prior to calling esp_output_head.
> >
> > Inside esp_output_head, the call to esp_output_udp_encap
> > makes sure to update the pointer if it gets invalid.
> > However, if esp_output_head itself calls skb_cow_data, the
> > pointer is not updated and stays invalid, causing a crash
> > after esp_output_head returns.
> >
> > Update the pointer if it becomes invalid in esp_output_head
> >
> > Fixes: fca11ebde3f0 ("esp4: Reorganize esp_output")
> > Signed-off-by: Ilan Tayari <ilant@...lanox.com>
> > ---
> >  net/ipv4/esp4.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
> > index 7f2caf71212b..65cc02bd82bc 100644
> > --- a/net/ipv4/esp4.c
> > +++ b/net/ipv4/esp4.c
> > @@ -317,6 +317,7 @@ int esp_output_head(struct xfrm_state *x, struct
> sk_buff *skb, struct esp_info *
> >  	if (nfrags < 0)
> >  		goto out;
> >  	tail = skb_tail_pointer(trailer);
> > +	esp->esph = ip_esp_hdr(skb);
> 
> This is not quite right for udpencap. It fixes the crash,
> but introduces a bug that we already have in v4.11.
> 
> On udpencap the esp header has an offset to skb_transport_header,
> the problem was discussed last week here:
> 
> https://lkml.org/lkml/2017/4/25/937
> 
> I plan to fix this with the patch below:
> 
> Subject: [PATCH RFC] esp4: Fix udpencap for local TCP packets.
> 

This patch works for me.
I don't have udp-encap test facilities, though (yet!).

Ilan.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ