| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2c741a81-23b3-fa26-89b2-6c3d94b20b96@gmail.com>
Date: Wed, 28 Mar 2018 21:03:40 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Dongli Zhang <dongli.zhang@...cle.com>,
xen-devel@...ts.xenproject.org, linux-kernel@...r.kernel.org
Cc: netdev@...r.kernel.org, paul.durrant@...rix.com,
wei.liu2@...rix.com
Subject: Re: [PATCH v2 1/1] xen-netback: process malformed sk_buff correctly
to avoid BUG_ON()
On 03/28/2018 08:51 PM, Dongli Zhang wrote:
> The "BUG_ON(!frag_iter)" in function xenvif_rx_next_chunk() is triggered if
> the received sk_buff is malformed, that is, when the sk_buff has pattern
> (skb->data_len && !skb_shinfo(skb)->nr_frags). Below is a sample call
> stack:
>
>...
>
> The issue is hit by xen-netback when there is bug with other networking
> interface (e.g., dom0 physical NIC), who has generated and forwarded
> malformed sk_buff to dom0 vifX.Y. It is possible to reproduce the issue on
> purpose with below sample code in a kernel module:
>
> skb->dev = dev; // dev of vifX.Y
> skb->len = 386;
> skb->data_len = 352;
> skb->tail = 98;
> skb->end = 384;
> skb_shinfo(skb)->nr_frags = 0;
> dev->netdev_ops->ndo_start_xmit(skb, dev);
>
This would be a serious bug in the provider of such skb.
Are you sure you do not have instead an skb with a chain of skbs ?
(skb_shinfo(skb)->frag_list would be not NULL)
Maybe your driver is wrongly advertising NETIF_F_FRAGLIST
commit 2167ca029c244901831 would be the bug origin then...
Powered by blists - more mailing lists