lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20180917.081520.1792531317539601050.davem@davemloft.net>
Date:   Mon, 17 Sep 2018 08:15:20 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     igor.russkikh@...antia.com
Cc:     nikita.danilov@...antia.com, netdev@...r.kernel.org,
        f.gerold@...-s.de
Subject: Re: [PATCH v2 net] net: aquantia: memory corruption on jumbo frames

From: Igor Russkikh <igor.russkikh@...antia.com>
Date: Sat, 15 Sep 2018 18:03:39 +0300

> From: Friedemann Gerold <f.gerold@...-s.de>
> 
> This patch fixes skb_shared area, which will be corrupted
> upon reception of 4K jumbo packets.
> 
> Originally build_skb usage purpose was to reuse page for skb to eliminate
> needs of extra fragments. But that logic does not take into account that
> skb_shared_info should be reserved at the end of skb data area.
> 
> In case packet data consumes all the page (4K), skb_shinfo location
> overflows the page. As a consequence, __build_skb zeroed shinfo data above
> the allocated page, corrupting next page.
> 
> The issue is rarely seen in real life because jumbo are normally larger
> than 4K and that causes another code path to trigger.
> But it 100% reproducible with simple scapy packet, like:
> 
>     sendp(IP(dst="192.168.100.3") / TCP(dport=443) \
>           / Raw(RandString(size=(4096-40))), iface="enp1s0")
> 
> Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
> 
> Reported-by: Friedemann Gerold <f.gerold@...-s.de>
> Reported-by: Michael Rauch <michael@...ch.be>
> Signed-off-by: Friedemann Gerold <f.gerold@...-s.de>
> Tested-by: Nikita Danilov <nikita.danilov@...antia.com>
> Signed-off-by: Igor Russkikh <igor.russkikh@...antia.com>

APplied and queued up for -stable.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ