| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Nov 2018 16:28:39 -0800 (PST)
From: David Miller <davem@...emloft.net>
To: cpaasch@...le.com
Cc: netdev@...r.kernel.org, bhole_prashant_q7@....ntt.co.jp,
tyhicks@...onical.com, eric.dumazet@...il.com
Subject: Re: [PATCH v2 net] net: Prevent invalid access to skb->prev in
__qdisc_drop_all
From: Christoph Paasch <cpaasch@...le.com>
Date: Thu, 29 Nov 2018 16:01:04 -0800
> __qdisc_drop_all() accesses skb->prev to get to the tail of the
> segment-list.
>
> With commit 68d2f84a1368 ("net: gro: properly remove skb from list")
> the skb-list handling has been changed to set skb->next to NULL and set
> the list-poison on skb->prev.
>
> With that change, __qdisc_drop_all() will panic when it tries to
> dereference skb->prev.
>
> Since commit 992cba7e276d ("net: Add and use skb_list_del_init().")
> __list_del_entry is used, leaving skb->prev unchanged (thus,
> pointing to the list-head if it's the first skb of the list).
> This will make __qdisc_drop_all modify the next-pointer of the list-head
> and result in a panic later on:
...
> This patch makes sure that skb->prev is set to NULL when entering
> netem_enqueue.
>
> Cc: Prashant Bhole <bhole_prashant_q7@....ntt.co.jp>
> Cc: Tyler Hicks <tyhicks@...onical.com>
> Cc: Eric Dumazet <eric.dumazet@...il.com>
> Fixes: 68d2f84a1368 ("net: gro: properly remove skb from list")
> Suggested-by: Eric Dumazet <eric.dumazet@...il.com>
> Signed-off-by: Christoph Paasch <cpaasch@...le.com>
Applied and queued up for -stable, thanks!
Powered by blists - more mailing lists