lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 29 Mar 2018 12:24:51 +0800
From:   Dongli Zhang <dongli.zhang@...cle.com>
To:     Eric Dumazet <eric.dumazet@...il.com>
Cc:     xen-devel@...ts.xenproject.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, paul.durrant@...rix.com,
        wei.liu2@...rix.com
Subject: Re: [Xen-devel] [PATCH v2 1/1] xen-netback: process malformed sk_buff
 correctly to avoid BUG_ON()

Hi Eric,

On 03/29/2018 12:03 PM, Eric Dumazet wrote:
> 
> 
> On 03/28/2018 08:51 PM, Dongli Zhang wrote:
>> The "BUG_ON(!frag_iter)" in function xenvif_rx_next_chunk() is triggered if
>> the received sk_buff is malformed, that is, when the sk_buff has pattern
>> (skb->data_len && !skb_shinfo(skb)->nr_frags). Below is a sample call
>> stack:
>>
>> ...
> 
> 
>>
>> The issue is hit by xen-netback when there is bug with other networking
>> interface (e.g., dom0 physical NIC), who has generated and forwarded
>> malformed sk_buff to dom0 vifX.Y. It is possible to reproduce the issue on
>> purpose with below sample code in a kernel module:
>>
>> skb->dev = dev; // dev of vifX.Y
>> skb->len = 386;
>> skb->data_len = 352;
>> skb->tail = 98;
>> skb->end = 384;
>> skb_shinfo(skb)->nr_frags = 0;
>> dev->netdev_ops->ndo_start_xmit(skb, dev);
>>
> 
> This would be a serious bug in the provider of such skb.

/nods

> 
> Are you sure you do not have instead an skb with a chain of skbs ?
> 
> (skb_shinfo(skb)->frag_list would be not NULL)

I am sure the skb_shinfo(skb)->frag_list is NULL.

> 
> Maybe your driver is wrongly advertising NETIF_F_FRAGLIST
> 
> commit 2167ca029c244901831 would be the bug origin then...

Unlike the new linux version (whose BUG_ON() does not panic the server), the
BUG_ON() in prior old kernel version would panic xen dom0 server and then people
would always blame xen paravirtual driver.

Indeed, xen-netback did not process the malformed sk_buff appropriately on rx
path. The issue is not hit with old dom0 kernel, when I am running the debug
module (as shown in below link) to generate a malformed sk_buff on purpose.

https://lists.xenproject.org/archives/html/xen-devel/2018-03/msg03176.html

Dongli Zhang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ