| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180806.134912.959959515248298207.davem@davemloft.net>
Date: Mon, 06 Aug 2018 13:49:12 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: willemdebruijn.kernel@...il.com
Cc: netdev@...r.kernel.org, eric.dumazet@...il.com,
loke.chetan@...il.com, willemb@...gle.com
Subject: Re: [PATCH net] packet: refine ring v3 block size test to hold one
frame
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Date: Mon, 6 Aug 2018 10:38:34 -0400
> From: Willem de Bruijn <willemb@...gle.com>
>
> TPACKET_V3 stores variable length frames in fixed length blocks.
> Blocks must be able to store a block header, optional private space
> and at least one minimum sized frame.
>
> Frames, even for a zero snaplen packet, store metadata headers and
> optional reserved space.
>
> In the block size bounds check, ensure that the frame of the
> chosen configuration fits. This includes sockaddr_ll and optional
> tp_reserve.
>
> Syzbot was able to construct a ring with insuffient room for the
> sockaddr_ll in the header of a zero-length frame, triggering an
> out-of-bounds write in dev_parse_header.
>
> Convert the comparison to less than, as zero is a valid snap len.
> This matches the test for minimum tp_frame_size immediately below.
>
> Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
> Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Willem de Bruijn <willemb@...gle.com>
Good catch, applied and queued up for -stable, thanks.
Powered by blists - more mailing lists