| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Sep 2018 08:15:20 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: igor.russkikh@...antia.com
Cc: nikita.danilov@...antia.com, netdev@...r.kernel.org,
f.gerold@...-s.de
Subject: Re: [PATCH v2 net] net: aquantia: memory corruption on jumbo frames
From: Igor Russkikh <igor.russkikh@...antia.com>
Date: Sat, 15 Sep 2018 18:03:39 +0300
> From: Friedemann Gerold <f.gerold@...-s.de>
>
> This patch fixes skb_shared area, which will be corrupted
> upon reception of 4K jumbo packets.
>
> Originally build_skb usage purpose was to reuse page for skb to eliminate
> needs of extra fragments. But that logic does not take into account that
> skb_shared_info should be reserved at the end of skb data area.
>
> In case packet data consumes all the page (4K), skb_shinfo location
> overflows the page. As a consequence, __build_skb zeroed shinfo data above
> the allocated page, corrupting next page.
>
> The issue is rarely seen in real life because jumbo are normally larger
> than 4K and that causes another code path to trigger.
> But it 100% reproducible with simple scapy packet, like:
>
> sendp(IP(dst="192.168.100.3") / TCP(dport=443) \
> / Raw(RandString(size=(4096-40))), iface="enp1s0")
>
> Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
>
> Reported-by: Friedemann Gerold <f.gerold@...-s.de>
> Reported-by: Michael Rauch <michael@...ch.be>
> Signed-off-by: Friedemann Gerold <f.gerold@...-s.de>
> Tested-by: Nikita Danilov <nikita.danilov@...antia.com>
> Signed-off-by: Igor Russkikh <igor.russkikh@...antia.com>
APplied and queued up for -stable.
Powered by blists - more mailing lists