| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20170822.142843.2204716875223379803.davem@davemloft.net>
Date: Tue, 22 Aug 2017 14:28:43 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: eric.dumazet@...il.com
Cc: pabeni@...hat.com, willemb@...gle.com, netdev@...r.kernel.org
Subject: Re: [PATCH v2 net] udp: on peeking bad csum, drop packets even if
not at head
From: Eric Dumazet <eric.dumazet@...il.com>
Date: Tue, 22 Aug 2017 09:39:28 -0700
> From: Eric Dumazet <edumazet@...gle.com>
>
> When peeking, if a bad csum is discovered, the skb is unlinked from
> the queue with __sk_queue_drop_skb and the peek operation restarted.
>
> __sk_queue_drop_skb only drops packets that match the queue head.
>
> This fails if the skb was found after the head, using SO_PEEK_OFF
> socket option. This causes an infinite loop.
>
> We MUST drop this problematic skb, and we can simply check if skb was
> already removed by another thread, by looking at skb->next :
>
> This pointer is set to NULL by the __skb_unlink() operation, that might
> have happened only under the spinlock protection.
>
> Many thanks to syzkaller team (and particularly Dmitry Vyukov who
> provided us nice C reproducers exhibiting the lockup) and Willem de
> Bruijn who provided first version for this patch and a test program.
>
> Fixes: 627d2d6b5500 ("udp: enable MSG_PEEK at non-zero offset")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Applied and queued up for -stable.
Powered by blists - more mailing lists