lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 22 Aug 2017 14:28:43 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     eric.dumazet@...il.com
Cc:     pabeni@...hat.com, willemb@...gle.com, netdev@...r.kernel.org
Subject: Re: [PATCH v2 net] udp: on peeking bad csum, drop packets even if
 not at head

From: Eric Dumazet <eric.dumazet@...il.com>
Date: Tue, 22 Aug 2017 09:39:28 -0700

> From: Eric Dumazet <edumazet@...gle.com>
> 
> When peeking, if a bad csum is discovered, the skb is unlinked from
> the queue with __sk_queue_drop_skb and the peek operation restarted.
> 
> __sk_queue_drop_skb only drops packets that match the queue head.
> 
> This fails if the skb was found after the head, using SO_PEEK_OFF
> socket option. This causes an infinite loop.
> 
> We MUST drop this problematic skb, and we can simply check if skb was
> already removed by another thread, by looking at skb->next :
> 
> This pointer is set to NULL by the  __skb_unlink() operation, that might
> have happened only under the spinlock protection.
> 
> Many thanks to syzkaller team (and particularly Dmitry Vyukov who
> provided us nice C reproducers exhibiting the lockup) and Willem de
> Bruijn who provided first version for this patch and a test program.
> 
> Fixes: 627d2d6b5500 ("udp: enable MSG_PEEK at non-zero offset")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Reported-by: Dmitry Vyukov <dvyukov@...gle.com>

Applied and queued up for -stable.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ